85aa498509e537b4b0ddf89bbed4782d22bd262eb97abd4c8c67777447383e3d

General

Target

3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
Size

33KB
MD5

3e9beaa23bf629f1cb88cbccb169bd4c
SHA1

74257fcb35d5bbcb3ca3961a600b0894cb33324a
SHA256

85aa498509e537b4b0ddf89bbed4782d22bd262eb97abd4c8c67777447383e3d
SHA512

5fcff6d7a3362b1174510a2c69ed8a9e1509775d69b76b291907afb64d7089c8d396ac895bdb267d5451ddf7dd76830c95ee981e3a2df340b0048dc739175f0d
SSDEEP

768:im7rz42odzHdoka2wjkYl3FnUTtLJo3c7oiP9yY3A3fZ:im7rz42M9JjwIM3RmtLJo3ClP9yY3A3B

Score

10^/10

evasion execution upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2204	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2204	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1972-12-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msimg32.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysapp29.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2064	sc.exe
2444	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 3056	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	29
PID 1972 wrote to memory of 3056	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	29
PID 1972 wrote to memory of 3056	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	29
PID 1972 wrote to memory of 3056	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2064	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2064	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2064	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2064	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2444	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2444	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2444	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2444	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	32
PID 1972 wrote to memory of 2204	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2204	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2204	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2204	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2204	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2204	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2204	1972	3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe	34
PID 3056 wrote to memory of 2900	3056	net.exe	36
PID 3056 wrote to memory of 2900	3056	net.exe	36
PID 3056 wrote to memory of 2900	3056	net.exe	36
PID 3056 wrote to memory of 2900	3056	net.exe	36

C:\Users\Admin\AppData\Local\Temp\3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e9beaa23bf629f1cb88cbccb169bd4c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:2900
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2064
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:2444
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1720812863.dat, ServerMain c:\users\admin\appdata\local\temp\3e9beaa23bf629f1cb88cbccb169bd4c_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sysapp29.dll

Filesize
32KB

MD5
47a3d52804127d134b736abe04ac5efd

SHA1
1f7000bdc83f6fdeca739ecbdab206bf55f88b2e

SHA256
489dcb0738e63187da1e6d51f3a11b20d4fa046dc45ea60385143608af409ad7

SHA512
ee132d0fb895728535651f1aeada9d822f66eadbd992dd994714983c7b3fa1046d307c1b4e7eb9bbd91386d8714f15038fc5bfa780c82e9514846d6eb6f06669

Download Submit
memory/1972-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1972-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing