7bab3a0315d92af33df8c6844f94a8a5efb5dff7e250c54c2db01b76d7915034

General

Target

45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
Size

33KB
MD5

45bd38bf9f094cd1bab528bdae3b1332
SHA1

d34122435100d068093eabb4c7b81e8546928102
SHA256

7bab3a0315d92af33df8c6844f94a8a5efb5dff7e250c54c2db01b76d7915034
SHA512

bececfb5558686c9e413c72a9768977f59ef374251db33df6371dc0b437315829eea40779a67522fa3613f6dd17097d58a0829b222aafd361d15a2402f25a34a
SSDEEP

768:eIYeTfP8X068tV/RKkF9tReY3CkYuNEa9GQ0pM:+eTHI068tBRKEtZDvEmGQ0p

Score

10^/10

evasion execution upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
4936	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4936	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3756-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3756-13-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msimg32.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysapp22.dll	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
392	sc.exe
3396	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 4036	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	84
PID 3756 wrote to memory of 4036	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	84
PID 3756 wrote to memory of 4036	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	84
PID 3756 wrote to memory of 392	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	85
PID 3756 wrote to memory of 392	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	85
PID 3756 wrote to memory of 392	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	85
PID 3756 wrote to memory of 3396	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	86
PID 3756 wrote to memory of 3396	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	86
PID 3756 wrote to memory of 3396	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	86
PID 3756 wrote to memory of 4936	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	90
PID 3756 wrote to memory of 4936	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	90
PID 3756 wrote to memory of 4936	3756	45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe	90
PID 4036 wrote to memory of 1220	4036	net.exe	91
PID 4036 wrote to memory of 1220	4036	net.exe	91
PID 4036 wrote to memory of 1220	4036	net.exe	91

C:\Users\Admin\AppData\Local\Temp\45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45bd38bf9f094cd1bab528bdae3b1332_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:1220
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:392
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:3396
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1720958716.dat, ServerMain c:\users\admin\appdata\local\temp\45bd38bf9f094cd1bab528bdae3b1332_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1720958716.dat

Filesize
33KB

MD5
c08da2229c7f3a98594b809cb44ff1cf

SHA1
dfd13f50de379d40ca2121cf956ba695a89b0891

SHA256
034de435d4cb1500a997b42f02b9139defdebe0b5d1f05d43a5b5383dd3b86d4

SHA512
d5cf5707fbd33bdc486a9d2d31ff9c9b530dda7a3fcac3963971aa4f6419918ffc7a93e61fea6d20427dec167f76f8592c53934f16776b16c6376ff5ad13a951

Download Submit
memory/3756-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3756-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing