4b387734a22393c5f3557592bd53edf78d6f3be7b2fd19af4cd5eaf13fb3acc8

General

Target

37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe
Size

313KB
MD5

37d6f87dae4d561324139f0838e5c508
SHA1

6ca7a68f03d8e78754a9564bc9fa8b2dde9f9aa3
SHA256

4b387734a22393c5f3557592bd53edf78d6f3be7b2fd19af4cd5eaf13fb3acc8
SHA512

3ec7cce7c2133ee25d391cacd8cf582193065bb8e90812b12b84f8914224df8e77783762633b9feba94c84bbba89e9aaa98365aac1012a58a2b5ac25e879351b
SSDEEP

6144:OXkCB9cOEvq8MtzT9eg+VdeDPFhOyuKW/EXBfZnibHjFgJkWOK:UkCBO7EzU3ODdhOyuKfXnib5gEK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3108	eJgFjKc01819.exe

Executes dropped EXE 1 IoCs

pid	Process
3108	eJgFjKc01819.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe
3040	37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3040-1-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/3040-3-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/3040-5-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/3108-22-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/3040-25-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/3108-26-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/3040-27-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/3108-35-0x0000000000400000-0x00000000004B2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eJgFjKc01819 = "C:\\ProgramData\\eJgFjKc01819\\eJgFjKc01819.exe"	eJgFjKc01819.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	eJgFjKc01819.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe
Token: SeDebugPrivilege	3108	eJgFjKc01819.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3108	eJgFjKc01819.exe
3108	eJgFjKc01819.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3108	eJgFjKc01819.exe
3108	eJgFjKc01819.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3108	eJgFjKc01819.exe
3108	eJgFjKc01819.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3108	3040	37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe	29
PID 3040 wrote to memory of 3108	3040	37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe	29
PID 3040 wrote to memory of 3108	3040	37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe	29
PID 3040 wrote to memory of 3108	3040	37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\ProgramData\eJgFjKc01819\eJgFjKc01819.exe
  "C:\ProgramData\eJgFjKc01819\eJgFjKc01819.exe" "C:\Users\Admin\AppData\Local\Temp\37d6f87dae4d561324139f0838e5c508_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\eJgFjKc01819\eJgFjKc01819.exe

Filesize
313KB

MD5
3ee7a83971f8f8c12c7a7ad648295035

SHA1
67cd3e490bdd97d0da118bc8681124db5e75459b

SHA256
f24c4f029bd56d22230ae78c42868c544be159e3cdbb137e5507ef85c638b6a8

SHA512
9a689af0f3445a79c9ad19673104c69e1a875ab05174f9463d5872b68cfa6fa130096d7fd67a428fb958acccccd9572d831879644095b5c227dbf2fd196864f9

Download Submit
memory/3040-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3040-1-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3040-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3040-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3040-4-0x0000000000467000-0x00000000004AF000-memory.dmp

Filesize
288KB

Download
memory/3040-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3040-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3108-22-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3108-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3108-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads