7f01801364767f0eb1f1416bec3e3e54ea17507131c97b2c6730fba33dc551c9

General

Target

2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
Size

32KB
MD5

2f4f9c95bd249637b5f00e5fcbcd059c
SHA1

b717d0867dce43acda74beb911c757b6c25180f3
SHA256

7f01801364767f0eb1f1416bec3e3e54ea17507131c97b2c6730fba33dc551c9
SHA512

50df805d7ef75e1c7c9de841cf63b3e15e1d2316d12dd1ab92d98af035b5600aef6a0f6bda093fba07785e8e32ee58ec262fdff5eee521d3581f46b2ef1f0b08
SSDEEP

768:sIKeabNShwUAze2GK3sF0rRAJyBEI8ZjH7M:lab46UAzf3sIRK/H7

Score

10^/10

evasion execution upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2016	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2016	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2064-12-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysapp44.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msimg32.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2436	sc.exe
2428	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1816	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1816	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1816	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1816	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2428	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	31
PID 2064 wrote to memory of 2428	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	31
PID 2064 wrote to memory of 2428	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	31
PID 2064 wrote to memory of 2428	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	31
PID 2064 wrote to memory of 2436	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2436	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2436	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2436	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2016	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2016	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2016	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2016	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2016	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2016	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2016	2064	2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe	34
PID 1816 wrote to memory of 2484	1816	net.exe	37
PID 1816 wrote to memory of 2484	1816	net.exe	37
PID 1816 wrote to memory of 2484	1816	net.exe	37
PID 1816 wrote to memory of 2484	1816	net.exe	37

C:\Users\Admin\AppData\Local\Temp\2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f4f9c95bd249637b5f00e5fcbcd059c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:2484
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:2436
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1720520845.dat, ServerMain c:\users\admin\appdata\local\temp\2f4f9c95bd249637b5f00e5fcbcd059c_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1720520845.dat

Filesize
32KB

MD5
382528e2ad15af49754d8eb93ea0c58f

SHA1
e56372a958b65baf085e374955daab33c7042811

SHA256
d08d003602ee43328129d303266bb25c0c3bc8a12cec0127db3bf37b62f6616d

SHA512
e3581a93e439a305e011191845ca19414bc61ef522502f393e0567ba64e24f09800649ed069f7d71d9b2397f659eceedca89d788c0b64fdfffc3a3d63fd0ac87

Download Submit
memory/2064-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2064-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing