d40f089fa61aedc4658f041eb95d91d404f52b432b96b696e91854c7a970e86e

General

Target

440f9131d1a3615aa10836424b4d3134_JaffaCakes118.exe
Size

249KB
MD5

440f9131d1a3615aa10836424b4d3134
SHA1

0f1353fd4ac77e4c98903b710870bb2067835c0d
SHA256

d40f089fa61aedc4658f041eb95d91d404f52b432b96b696e91854c7a970e86e
SHA512

45ec3693537f10c13c3f1037334041be4adffc54332837f7a41f4e744bdcd15b3bfa54dd9c1b156346cdd2fcb73dc244f3ec7b9818fbc165426191ea9bce5da6
SSDEEP

6144:pPi2fsaw6DaWVrDK04HPHylBRgINp0Vgj:Upwm4K9PHUQEp08

Score

10^/10

aspackv2 evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCH0ST.EXE

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023468-5.dat	aspack_v212_v242
behavioral2/files/0x000700000002346b-18.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
4456	system.exe
1636	SVCH0ST.EXE

Loads dropped DLL 2 IoCs

pid	Process
4456	system.exe
4456	system.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Default64.SFX	440f9131d1a3615aa10836424b4d3134_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\System\Default64.SFX	440f9131d1a3615aa10836424b4d3134_JaffaCakes118.exe
File created	C:\Program Files\NetMeeting\system.exe	440f9131d1a3615aa10836424b4d3134_JaffaCakes118.exe
File created	C:\Program Files\NetMeeting\nmasu.dll	system.exe
File created	C:\Program Files\Messenger\SVCH0ST.EXE	system.exe
File created	C:\Program Files (x86)\Common Files\system\taobao.ico	SVCH0ST.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\117FIle\shell\open\command	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ie\ = "IEFILES"	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEFILES\DefaultIcon	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.117	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\117FIle\ = "FILEINFO"	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFILES\DefaultIcon	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ie	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEFILES\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEFILES	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\117FIle\shell\open	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFILES\DefaultIcon\ = "C:\\Program Files (x86)\\Common Files\\system\\taobao.ico"	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\117FIle\shell\open\command\ = "C:\\Program Files\\NetMeeting\\system.exe"	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "TBFILES"	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEFILES\shell	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\117FIle\DefaultIcon	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\117FIle\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,28"	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\117FIle\shell	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEFILES\shell\open\command	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEFILES\shell\open	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.117\ = "117FIle"	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFILES	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFILES\ = "Internet Explorer"	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFILES\shell\open\command	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFILES\shell\open	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFILES\shell\open\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://%w%w%w.22%qi.%com/%t%a%o%b%a%o.h%t%ml"	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEFILES\ = "Internet Explorer"	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\117FIle	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFILES\shell	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEFILES\shell\open\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://%w%w%w.22%qi.%com"	SVCH0ST.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4456	system.exe
4456	system.exe
4456	system.exe
4456	system.exe
1636	SVCH0ST.EXE
1636	SVCH0ST.EXE
1636	SVCH0ST.EXE
1636	SVCH0ST.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4456	system.exe
4456	system.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 4456	4860	440f9131d1a3615aa10836424b4d3134_JaffaCakes118.exe	83
PID 4860 wrote to memory of 4456	4860	440f9131d1a3615aa10836424b4d3134_JaffaCakes118.exe	83
PID 4860 wrote to memory of 4456	4860	440f9131d1a3615aa10836424b4d3134_JaffaCakes118.exe	83
PID 4456 wrote to memory of 1636	4456	system.exe	85
PID 4456 wrote to memory of 1636	4456	system.exe	85
PID 4456 wrote to memory of 1636	4456	system.exe	85

C:\Users\Admin\AppData\Local\Temp\440f9131d1a3615aa10836424b4d3134_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\440f9131d1a3615aa10836424b4d3134_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Program Files\NetMeeting\system.exe
  "C:\Program Files\NetMeeting\system.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Program Files\Messenger\SVCH0ST.EXE
    "C:\Program Files\Messenger\SVCH0ST.EXE"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Messenger\SVCH0ST.EXE

Filesize
201KB

MD5
1e0eb07e2e6f297a7b9384a2931e35b4

SHA1
8c5e568d4366ac33c45bc7b2264316c02fe14148

SHA256
1e12ebd50990bada4dd8ae6e3a83b35d1cafb29e0cd819d139b7bbe2d7f87805

SHA512
99a6cf9c3c4f7c794582836e472090609adf7b40a442d0e8eb6ffb94167009562d12eda627809ca41e9186864b2ff00229e2f8cf4ed051495f40cef5937b488a

Download Submit
C:\Program Files\NetMeeting\nmasu.dll

Filesize
222KB

MD5
5446efc59699da00431c074ef7fa70fd

SHA1
93fc96aaca1a229476fcefe74903a2341268e897

SHA256
02321c8072f8348c74ae79e4c0c4b098d074acea429a263ca257badedc01b80d

SHA512
b3d9c6f3983e17b0e3aa1d891c5b24117e206e7d06a6de725cf2219769f26756d68e86fa8d06d6cb0b88ae43378001d1966169a587cda6d382513500c8a2b2dc

Download Submit
C:\Program Files\NetMeeting\system.exe

Filesize
249KB

MD5
440f9131d1a3615aa10836424b4d3134

SHA1
0f1353fd4ac77e4c98903b710870bb2067835c0d

SHA256
d40f089fa61aedc4658f041eb95d91d404f52b432b96b696e91854c7a970e86e

SHA512
45ec3693537f10c13c3f1037334041be4adffc54332837f7a41f4e744bdcd15b3bfa54dd9c1b156346cdd2fcb73dc244f3ec7b9818fbc165426191ea9bce5da6

Download Submit
memory/1636-32-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1636-21-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1636-19-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4456-14-0x0000000002220000-0x0000000002271000-memory.dmp

Filesize
324KB

Download
memory/4456-15-0x00000000005B0000-0x00000000005B3000-memory.dmp

Filesize
12KB

Download
memory/4456-6-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4456-31-0x0000000002220000-0x0000000002271000-memory.dmp

Filesize
324KB

Download
memory/4456-30-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4456-33-0x00000000005B0000-0x00000000005B3000-memory.dmp

Filesize
12KB

Download
memory/4456-51-0x0000000002220000-0x0000000002271000-memory.dmp

Filesize
324KB

Download
memory/4456-50-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4860-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4860-29-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing