bceb901a7c5b5e9ddbf2d74a5da4cbcf73c44c2d4bde6749cee8c4d53f38e775

General

Target

3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe
Size

186KB
MD5

3705cc2935a43d140d20f1d8ec41a9bb
SHA1

1b1a4088266bbf840ee363dead9524c883757998
SHA256

bceb901a7c5b5e9ddbf2d74a5da4cbcf73c44c2d4bde6749cee8c4d53f38e775
SHA512

13e5bd039ea0a54d2719f496acbf177f524c82236f5b42b4cc1d7adb0166d577274f59250637485082a2d623298dfa7a83b930307b2f72392b8a9189e007535f
SSDEEP

3072:0n6vBEEvERgS1z1/rUP44bqPvtiFEoZkz8sCPUqHVQ1OWHkRqi/3HuNGRFIcqEI1:csrWm44WPKEL8sC8qHq1OWHi/39RCcbS

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4944-3-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2936-5-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2936-4-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2936-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4944-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4780-12-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4780-11-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4780-13-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4944-15-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4944-214-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 2936	4944	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	83
PID 4944 wrote to memory of 2936	4944	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	83
PID 4944 wrote to memory of 2936	4944	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	83
PID 4944 wrote to memory of 4780	4944	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	88
PID 4944 wrote to memory of 4780	4944	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	88
PID 4944 wrote to memory of 4780	4944	3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\Windows\shell.exe%C:\Users\Admin\AppData\Roaming\Microsoft\Windows
  2⤵
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3705cc2935a43d140d20f1d8ec41a9bb_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
1KB

MD5
00c674116ca6bd2e13d75e8294980bac

SHA1
3afdedffaece8ad72cbf7cd29a48e063fbf5e70c

SHA256
55f24ea7efeae54d7cf4d3f9b9ff71dd114d6977a9a7458915e6bca9f28db0b9

SHA512
24bd82d171887139435d7d9a7d78c6198cfb5f4870d5530d67e2f4aa4363cbae8b55f695292612cb515705ef5b5cbadd84e473bdd1b14b3beb0a69446cb00215

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
1KB

MD5
72a0531fcfce5d9a1043c82e463d2b5c

SHA1
26a0a5f37ea632c286a27e9cd16286ccade2161e

SHA256
012e31fbe266cf2704b6ec8850628d198741455f8adcd472c4fbfceeffb82e22

SHA512
3155cb1bd46dfa0604ae70d57380744d2799e705a432e8c3393ed1b10f860695a10a336e4481fc4a86e35b1e54c305ab901360633628c573b30ee4ecb28071e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
396B

MD5
0bbe363010abb04b7568eeea36d8e638

SHA1
0f422e59292b6d6a3e1f4366476bf1e598a661ce

SHA256
8743f1f8962dfe21d432bf8e2802a872569695b6709f9c6d6a274e687ee297bc

SHA512
1b0eb94840e640fb8101f955ee36d3b6d086a8c704b108ce9918f07bd33d3bf672a91c35975ad85673e3dc711e3094410f7b44027b9b94eeb4192efac3214643

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg

Filesize
792B

MD5
cddd2bce6f86d08df65a13e21bf3812a

SHA1
c5f7aff6906c89b3565d431405f7deecd88e9cbc

SHA256
58e6bf4c99c10b6e160b5b537d8be5933ccf2f281035d9f058d189d4d9c5a6d6

SHA512
0b1925ee7190be2b4de31306c3c17e91655b9e7a02f5632327cc7526264a7c0db85df971eef5c4d40a79491d3844b3f6f4e770527b056e1e001a7ef07c5f9506

Download Submit
memory/2936-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4944-1-0x0000000000570000-0x0000000000586000-memory.dmp

Filesize
88KB

Download
memory/4944-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4944-0-0x0000000000A10000-0x0000000000A3C000-memory.dmp

Filesize
176KB

Download
memory/4944-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads