c683f142faad47db9fcbaed2ce63aa670b711b6f5622b89ffa4263b7f7ac717e

General

Target

36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
Size

32KB
MD5

36adbdb71ebab3834301b628f47c6ea9
SHA1

b905a7a5564382484c2f2a1257db4363ed9f4c37
SHA256

c683f142faad47db9fcbaed2ce63aa670b711b6f5622b89ffa4263b7f7ac717e
SHA512

7037f184e9869c457731534162b98b259f672194aab563ef59f5fadb4f884efe18878e18eda39b051b4015bb6594902147cd7873aac132a29910e9b23702c317
SSDEEP

768:EEl6Ovnxd1HN1SZnpDoR89WIB825ykUPLfUMXW1F52SDV:EEkWB1SZ6RcB82chPAX1NDV

Score

10^/10

evasion execution upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
1840	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1840	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/664-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/664-10-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\YUksuser.dll	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YUmidimap.dll	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysapp17.dll	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YUksuser.dll	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4732	sc.exe
2772	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 3060	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	83
PID 664 wrote to memory of 3060	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	83
PID 664 wrote to memory of 3060	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	83
PID 664 wrote to memory of 4732	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	84
PID 664 wrote to memory of 4732	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	84
PID 664 wrote to memory of 4732	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	84
PID 664 wrote to memory of 2772	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	85
PID 664 wrote to memory of 2772	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	85
PID 664 wrote to memory of 2772	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	85
PID 664 wrote to memory of 1840	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	89
PID 664 wrote to memory of 1840	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	89
PID 664 wrote to memory of 1840	664	36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe	89
PID 3060 wrote to memory of 3972	3060	net.exe	90
PID 3060 wrote to memory of 3972	3060	net.exe	90
PID 3060 wrote to memory of 3972	3060	net.exe	90

C:\Users\Admin\AppData\Local\Temp\36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36adbdb71ebab3834301b628f47c6ea9_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:3972
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4732
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:2772
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1720651083.dat, ServerMain c:\users\admin\appdata\local\temp\36adbdb71ebab3834301b628f47c6ea9_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sysapp17.dll

Filesize
31KB

MD5
2cd61e812ff00f4c43431a3184b890ee

SHA1
034b01a12791e1d5d9da4c5922b267e0e16aa89e

SHA256
89220b14ebd50f730b0c4961a9b4e3b3a08b4090c8216abb1cc971ed3528a371

SHA512
bfe3dd8ca37ef9d7549475b6f893c65a3ef68965524cdc800521cb3938731841a919ba23a6f60a1e63380a16730f5aaf8912e7c445be36934a592442606f67de

Download Submit
memory/664-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/664-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing