d8ba510e7dc3fc6231cafd7c798e48d95554e1ed3ecc0347037f2124d77d340b

General

Target

29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe
Size

120KB
MD5

29250cb3e58c75ae661d811dcd799347
SHA1

62adf0d827ab4bc261a571a3df0854c97b3826ad
SHA256

d8ba510e7dc3fc6231cafd7c798e48d95554e1ed3ecc0347037f2124d77d340b
SHA512

7856a7c6c94cc7df053103f7a09bbebd9ceeba574527475d9027f1148cea0ef625f05606dff4f4a01680d64d0f7b838893969ea328c26169fb39b04317a538ba
SSDEEP

768:aqqxZSLVr/SiD2erCIcBylFGqE4/M78+9al4maorD83opAY/Hp8b9Dj2z7VP7LdR:BEcp/Qe+IlKqEAguBrDjqiwX/cYADD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	vumuy.exe

Loads dropped DLL 2 IoCs

pid	Process
2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe
2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/888-4-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/888-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/888-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/888-15-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/888-16-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/888-17-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/888-20-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2664-47-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2664-48-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/888-58-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\vumuy.exe"	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	29
PID 2888 set thread context of 2664	2888	vumuy.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe
888	svchost.exe
2888	vumuy.exe
2664	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	29
PID 2556 wrote to memory of 888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	29
PID 2556 wrote to memory of 888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	29
PID 2556 wrote to memory of 888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	29
PID 2556 wrote to memory of 888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	29
PID 2556 wrote to memory of 888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	29
PID 2556 wrote to memory of 888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	29
PID 2556 wrote to memory of 888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2888	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2664	2888	vumuy.exe	31
PID 2888 wrote to memory of 2664	2888	vumuy.exe	31
PID 2888 wrote to memory of 2664	2888	vumuy.exe	31
PID 2888 wrote to memory of 2664	2888	vumuy.exe	31
PID 2888 wrote to memory of 2664	2888	vumuy.exe	31
PID 2888 wrote to memory of 2664	2888	vumuy.exe	31
PID 2888 wrote to memory of 2664	2888	vumuy.exe	31
PID 2888 wrote to memory of 2664	2888	vumuy.exe	31
PID 2556 wrote to memory of 2644	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2644	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2644	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2644	2556	29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29250cb3e58c75ae661d811dcd799347_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Users\Admin\vumuy.exe
  "C:\Users\Admin\vumuy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Tempa.bat" "
  2⤵
  - Deletes itself
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempa.bat

Filesize
175B

MD5
b47a12c834ba8ddc255f158bbadb69f4

SHA1
53ca5ebf01edb21dd3c04d5cf73abafaf1dc4acd

SHA256
05aa10515fd5bb4b80c3ea91b12cbadfc7dc7394dbb7e7a464e970fcbe1db88b

SHA512
50570495b5a5baef64031431c4d1919b9944d89b9b4ee1779448843e335a1f986db3e36121278de0946edf1c44a1a6200c5ac3a2741d8901b001e83481f5f077

Download Submit
C:\Users\Admin\vumuy.exe

Filesize
120KB

MD5
29250cb3e58c75ae661d811dcd799347

SHA1
62adf0d827ab4bc261a571a3df0854c97b3826ad

SHA256
d8ba510e7dc3fc6231cafd7c798e48d95554e1ed3ecc0347037f2124d77d340b

SHA512
7856a7c6c94cc7df053103f7a09bbebd9ceeba574527475d9027f1148cea0ef625f05606dff4f4a01680d64d0f7b838893969ea328c26169fb39b04317a538ba

Download Submit
memory/888-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-15-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-16-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/888-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2664-47-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2664-48-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads