2f57ec881ec13c5293400b0b933f6ff8ec15122d9963ff6e70f8959428c02757

General

Target

39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe
Size

1.3MB
MD5

39f9d17395a7112b6e5a2ea8377a1a66
SHA1

363bdb2a80f56700446d8f4cefc116eb11544162
SHA256

2f57ec881ec13c5293400b0b933f6ff8ec15122d9963ff6e70f8959428c02757
SHA512

9f2c4c3f848d869a5e9a8743b9ede3e34cb5c2747f2fa95824147ccd4badb27ef9d4aa62373fe8a841d43355f451c90f018d974d78259b23960ca9724befa296
SSDEEP

24576:vA3m4NWNwH6U+X+7WX/baOwkuSCwhm2v+K8zyHyhX8DLRVvEYg7:Y3o+6x+7sDwDSLm2GxGw6/vEYg7

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2156	wg.exe
2688	CsOnline.exe
2692	110.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-22-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x00080000000173b8-19.dat	upx
behavioral1/memory/2688-52-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dsound.dll.dat	CsOnline.exe
File opened for modification	C:\Windows\SysWOW64\dsound.dll.dat	CsOnline.exe
File created	C:\Windows\SysWOW64\dsound.dll.bad	CsOnline.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\mfc1342.lOG	CsOnline.exe
File opened for modification	C:\Windows\system\mfc1342.lOG	CsOnline.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2688	CsOnline.exe
2688	CsOnline.exe
2688	CsOnline.exe
2688	CsOnline.exe
2688	CsOnline.exe
2688	CsOnline.exe
2692	110.exe
2692	110.exe
2692	110.exe
2692	110.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	CsOnline.exe
Token: SeDebugPrivilege	2688	CsOnline.exe
Token: SeDebugPrivilege	2688	CsOnline.exe
Token: SeIncBasePriorityPrivilege	2692	110.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	110.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1544	39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe
1544	39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe
2156	wg.exe
2156	wg.exe
2156	wg.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2156	1544	39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe	30
PID 1544 wrote to memory of 2156	1544	39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe	30
PID 1544 wrote to memory of 2156	1544	39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe	30
PID 1544 wrote to memory of 2156	1544	39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe	30
PID 1544 wrote to memory of 2688	1544	39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2688	1544	39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2688	1544	39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2688	1544	39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2692	2156	wg.exe	32
PID 2156 wrote to memory of 2692	2156	wg.exe	32
PID 2156 wrote to memory of 2692	2156	wg.exe	32
PID 2156 wrote to memory of 2692	2156	wg.exe	32
PID 2688 wrote to memory of 3000	2688	CsOnline.exe	33
PID 2688 wrote to memory of 3000	2688	CsOnline.exe	33
PID 2688 wrote to memory of 3000	2688	CsOnline.exe	33
PID 2688 wrote to memory of 3000	2688	CsOnline.exe	33

C:\Users\Admin\AppData\Local\Temp\39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39f9d17395a7112b6e5a2ea8377a1a66_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544
- C:\wg.exe
  C:\wg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\110.exe
    "C:\110.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2692
- C:\CsOnline.exe
  C:\CsOnline.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tempVidio.bat" "
    3⤵
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\110.exe

Filesize
60KB

MD5
19b79f598a8eb08b84a6f716a5983b25

SHA1
e39ed35f8cfe6a11e75ffa539f05a861a951c7e5

SHA256
565899fb4cb5b269233e8ec756f8fbfb64fe5ee86341fd51e6dd4004b4d097b0

SHA512
4fc5f4c7d5c80b09fb2ccbab955ca6fe0c9353053cf54329b5e4017cb32c8316baf665947f21b2a4e6cb9e2c0963b9005b5381a0b509ffe96e2a8da0513a0942

Download Submit
C:\CsOnline.exe

Filesize
18KB

MD5
570c00caff64cdb29fb0f8fc19edd904

SHA1
3547c1062f82f5a131af74f211e942f8aa6248fb

SHA256
1b6470cd66688a5fc4884fd148046612492805c30dd1c019cafcce93a3601a4c

SHA512
2f25213c7ddc934373ac26504ed8cf5b595088085f85286367e11751a4d95d26455bfb8bf995997ca352d93ef2f9924cf15fc4b56f83cd4987fa6edea25c7aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempVidio.bat

Filesize
137B

MD5
d1d79ce563b3398a8d6699ee26c27bd9

SHA1
ca230c9a61bbbf29f313c832a5fa90d5a41b3217

SHA256
2a057e9d4318bedc69fe2becaedba9e171427dee2c0dec40fca06c810e8dd15b

SHA512
e97678466d8f9e9506e0bb076c1fa426187b8f96f451331957e14e85993c58d9798ad5737f53a1bae6ddf17440c97f75a2df81f15ae195ba3721eca254788acd

Download Submit
C:\Windows\SysWOW64\dsound.dll.bad

Filesize
443KB

MD5
4c23ced8331319f08f79aedc8883a013

SHA1
14cf02ad559de6d1f540c9e751c831469d120c7e

SHA256
9826a51bc43cef4739d60b404101e83eaebd9ca4cbec5d3ac9f42b3453a68922

SHA512
277bc26846a82f260f3486965380948733cbf5f75039be4f00e9acd208de145e3fba9a7e33c965cb68bfbf2297c2546c6e4073a9ab56f9b749d912d6bfc0f71d

Download Submit
C:\Windows\system\mfc1342.lOG

Filesize
20KB

MD5
c29aa6372d1695b8c5f439293d810eab

SHA1
702aa85547514ad110bc41237a3377173b0732ad

SHA256
8ce9e6b02779c59cdec656c0a0b1345f0ce149104c684a78e7bb35780525a19d

SHA512
722441bff36ddcfea98e1f26bda017b8e615d3506548f427a07381cdc00492ea2b9dfd19684c04ab6d2b82c2bac76a76dc00ee85aa18bbcda14313c1e010d78a

Download Submit
C:\wg.exe

Filesize
746KB

MD5
5ce28b75a227da5812a9279a2f6351ae

SHA1
cf72c47f42ca1c2149e035e8a978abedef7d1bd2

SHA256
9f00455b33b6813e0d88b15d2da0e932ec90a1d1429a29c90f62e38a72caebe6

SHA512
1ee1f4f8d4e2dafcb87114461625a5a688627453b9b32971c45e3514d09a8d78f0dc3b870c03be36b0584b4fdc47822845231e14a2fde39f69f5cc43d455f459

Download Submit
memory/1544-8-0x00000000020C0000-0x00000000022F6000-memory.dmp

Filesize
2.2MB

Download
memory/1544-7-0x00000000020C0000-0x00000000022F6000-memory.dmp

Filesize
2.2MB

Download
memory/1544-56-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/1544-57-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/1544-21-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/1544-20-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/2156-9-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2156-54-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2156-55-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2156-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2156-11-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2688-22-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2688-52-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2692-44-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing