d6eb57fd34c3a527d60dfa22c2f1850bfdca618f978a4bb319c8b01571eb6ff7

General

Target

3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Size

165KB
MD5

3b54de624a842bbb116c6189c8f94551
SHA1

9157e6d1c2b7057f8e352178452bf69f9d479c63
SHA256

d6eb57fd34c3a527d60dfa22c2f1850bfdca618f978a4bb319c8b01571eb6ff7
SHA512

d606557534d6a409beaedcf5d85cb009d6da332c7ae05351bd2f40667a4e5eadb7e3a492f406f964523d5fdf3506c848a029fa11aee1f62b5f0899aa50a48647
SSDEEP

3072:ABGuStDz/yIzfIenQKIsmtLeIAPGn2jS0gPsX8EsV5q7d+JYfvomTQpoutr:AB03/yMfId8GLsjdgPsMEsV47d+SP8oS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1116	Vfklkg.exe
4956	Vfklkg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3952-0-0x0000000000400000-0x0000000000531000-memory.dmp	upx
behavioral2/memory/3952-7-0x0000000000400000-0x0000000000531000-memory.dmp	upx
behavioral2/files/0x00090000000233ff-12.dat	upx
behavioral2/memory/1116-23-0x0000000000400000-0x0000000000531000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfklkg = "C:\\Users\\Admin\\AppData\\Roaming\\Vfklkg.exe"	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vfklkg = "C:\\Users\\Admin\\AppData\\Roaming\\Vfklkg.exe"	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 3556	3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	86
PID 1116 set thread context of 4956	1116	Vfklkg.exe	88

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Vfklkg = "C:\\Users\\Admin\\AppData\\Roaming\\Vfklkg.exe"	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	Vfklkg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
1116	Vfklkg.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 3556	3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	86
PID 3952 wrote to memory of 3556	3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	86
PID 3952 wrote to memory of 3556	3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	86
PID 3952 wrote to memory of 3556	3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	86
PID 3952 wrote to memory of 3556	3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	86
PID 3952 wrote to memory of 3556	3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	86
PID 3952 wrote to memory of 3556	3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	86
PID 3952 wrote to memory of 3556	3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	86
PID 3952 wrote to memory of 3556	3952	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	86
PID 3556 wrote to memory of 1116	3556	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	87
PID 3556 wrote to memory of 1116	3556	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	87
PID 3556 wrote to memory of 1116	3556	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe	87
PID 1116 wrote to memory of 4956	1116	Vfklkg.exe	88
PID 1116 wrote to memory of 4956	1116	Vfklkg.exe	88
PID 1116 wrote to memory of 4956	1116	Vfklkg.exe	88
PID 1116 wrote to memory of 4956	1116	Vfklkg.exe	88
PID 1116 wrote to memory of 4956	1116	Vfklkg.exe	88
PID 1116 wrote to memory of 4956	1116	Vfklkg.exe	88
PID 1116 wrote to memory of 4956	1116	Vfklkg.exe	88
PID 1116 wrote to memory of 4956	1116	Vfklkg.exe	88
PID 1116 wrote to memory of 4956	1116	Vfklkg.exe	88

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Vfklkg.exe"	3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3b54de624a842bbb116c6189c8f94551_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3556
- - C:\Users\Admin\AppData\Roaming\Vfklkg.exe
    "C:\Users\Admin\AppData\Roaming\Vfklkg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Roaming\Vfklkg.exe
      C:\Users\Admin\AppData\Roaming\Vfklkg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Vfklkg.exe

Filesize
165KB

MD5
3b54de624a842bbb116c6189c8f94551

SHA1
9157e6d1c2b7057f8e352178452bf69f9d479c63

SHA256
d6eb57fd34c3a527d60dfa22c2f1850bfdca618f978a4bb319c8b01571eb6ff7

SHA512
d606557534d6a409beaedcf5d85cb009d6da332c7ae05351bd2f40667a4e5eadb7e3a492f406f964523d5fdf3506c848a029fa11aee1f62b5f0899aa50a48647

Download Submit
memory/1116-23-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3556-3-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3556-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3556-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3952-0-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3952-7-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4956-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4956-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4956-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads