6bfbe2c450ac06d912174ffc2dc64f14cf12472d031dd46a40286077dbcc758a

General

Target

45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe
Size

21KB
MD5

45bef09086bdc314598d50d123d8e7e6
SHA1

520ae4ff7a037079b82120816cfdb3ced0f14d5b
SHA256

6bfbe2c450ac06d912174ffc2dc64f14cf12472d031dd46a40286077dbcc758a
SHA512

5423f0e285153265bb0ba46a1562d87c45ed23dd07557953d11efa48e65dc1f01fa55a0046049e1e57438ae2019c724cd9922a0feee9f859487a9399cbc491dc
SSDEEP

384:MYvthSSYGdnT9Sw3NNAGiXtLrtPsjrTfNSbFbnrzK8N9CfiLCK1/3U:5EKT9t3IptrtEDMbFzfK8NmVKt3U

Score

10^/10

persistence upx

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xbrqqdie.dll = "{82D7ED3C-FBD9-49e5-B74A-517210780277}"	dsad22.exe

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	dsad22.exe

Loads dropped DLL 3 IoCs

pid	Process
2568	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe
2568	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe
2536	dsad22.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2568-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/files/0x000a0000000120d5-3.dat	upx
behavioral1/memory/2536-12-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2568-21-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2536-33-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xbrqqdie.tmp	dsad22.exe
File opened for modification	C:\Windows\SysWOW64\xbrqqdie.tmp	dsad22.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82D7ED3C-FBD9-49e5-B74A-517210780277}\InProcServer32\ThreadingModel = "Apartment"	dsad22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82D7ED3C-FBD9-49e5-B74A-517210780277}	dsad22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82D7ED3C-FBD9-49e5-B74A-517210780277}\InProcServer32	dsad22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82D7ED3C-FBD9-49e5-B74A-517210780277}\InProcServer32\ = "C:\\Windows\\SysWow64\\xbrqqdie.dll"	dsad22.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2536	dsad22.exe
2536	dsad22.exe
2536	dsad22.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2536	dsad22.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2536	dsad22.exe
2536	dsad22.exe
2536	dsad22.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2536	2568	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2536	2568	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2536	2568	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2536	2568	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2908	2568	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2908	2568	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2908	2568	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2908	2568	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	31
PID 2536 wrote to memory of 788	2536	dsad22.exe	34
PID 2536 wrote to memory of 788	2536	dsad22.exe	34
PID 2536 wrote to memory of 788	2536	dsad22.exe	34
PID 2536 wrote to memory of 788	2536	dsad22.exe	34

C:\Users\Admin\AppData\Local\Temp\45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\dsad22.exe
  "C:\Users\Admin\AppData\Local\Temp\dsad22.exe"
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\8324.tmp.bat
    3⤵
    PID:788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\AD9D.tmp.bat
  2⤵
  - Deletes itself
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8324.tmp.bat

Filesize
132B

MD5
7d6249f1cea47ef588608864e84fd46d

SHA1
26b2c209a9ae8d4f4cb992d1c62b76eacc7fb068

SHA256
c162ce6ae94dafef9ad3117fc4012ff0cff660bd0a8f3d4cbf39e79c90844f6f

SHA512
c2d605b18a4c3e7dc91f5fba42c8f23fd6f19c7094badf4ea8747179b160abb359ff0b2d594718702645d5a5e53655df70fce3967afce479a219972e766bde35

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD9D.tmp.bat

Filesize
212B

MD5
98d603fcc978424dcbe6d5338fe7589e

SHA1
20c4bd717935e6961f4e034c15497938a0e0259e

SHA256
74d8a7e5ddca101ab989960a7c3f107deff4aa43bfed14efbc1d1e38987b6e1f

SHA512
ba06105b90a8295828f81da72c1a1ec7f45f6fa45ac05185f4f54dbc86644ea17821ad564101364182483354315279d6bb0bee30cc961ca185150f1c59916262

Download Submit
C:\Windows\SysWOW64\xbrqqdie.tmp

Filesize
2.4MB

MD5
27e09b35a75e9a4717f834d2e373a87e

SHA1
9b2c79b5388f188755faa0a6d2e2daa35404886a

SHA256
b24af0b3f1473f45a1f27109c52254800cc36faf8d8104bae7830877fa855778

SHA512
1c820ed3ff8abac60572283dca838dfe1388a7dc2d873e7061cae123ed5f887ecfd90885adf54c1f801eb19c3c9bf3508fa8ab33af37585a6024f11b281fdaba

Download Submit
\Users\Admin\AppData\Local\Temp\dsad22.exe

Filesize
21KB

MD5
45bef09086bdc314598d50d123d8e7e6

SHA1
520ae4ff7a037079b82120816cfdb3ced0f14d5b

SHA256
6bfbe2c450ac06d912174ffc2dc64f14cf12472d031dd46a40286077dbcc758a

SHA512
5423f0e285153265bb0ba46a1562d87c45ed23dd07557953d11efa48e65dc1f01fa55a0046049e1e57438ae2019c724cd9922a0feee9f859487a9399cbc491dc

Download Submit
memory/2536-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2536-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2536-34-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2568-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2568-11-0x0000000002B00000-0x0000000002B14000-memory.dmp

Filesize
80KB

Download
memory/2568-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads