6bfbe2c450ac06d912174ffc2dc64f14cf12472d031dd46a40286077dbcc758a

General

Target

45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe
Size

21KB
MD5

45bef09086bdc314598d50d123d8e7e6
SHA1

520ae4ff7a037079b82120816cfdb3ced0f14d5b
SHA256

6bfbe2c450ac06d912174ffc2dc64f14cf12472d031dd46a40286077dbcc758a
SHA512

5423f0e285153265bb0ba46a1562d87c45ed23dd07557953d11efa48e65dc1f01fa55a0046049e1e57438ae2019c724cd9922a0feee9f859487a9399cbc491dc
SSDEEP

384:MYvthSSYGdnT9Sw3NNAGiXtLrtPsjrTfNSbFbnrzK8N9CfiLCK1/3U:5EKT9t3IptrtEDMbFzfK8NmVKt3U

Score

10^/10

persistence upx

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xbrqqdie.dll = "{82D7ED3C-FBD9-49e5-B74A-517210780277}"	dsad22.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2404	dsad22.exe

Loads dropped DLL 1 IoCs

pid	Process
2404	dsad22.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/400-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/files/0x0009000000023459-5.dat	upx
behavioral2/memory/2404-9-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/400-12-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/2404-25-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xbrqqdie.tmp	dsad22.exe
File opened for modification	C:\Windows\SysWOW64\xbrqqdie.tmp	dsad22.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82D7ED3C-FBD9-49e5-B74A-517210780277}	dsad22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82D7ED3C-FBD9-49e5-B74A-517210780277}\InProcServer32	dsad22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82D7ED3C-FBD9-49e5-B74A-517210780277}\InProcServer32\ = "C:\\Windows\\SysWow64\\xbrqqdie.dll"	dsad22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82D7ED3C-FBD9-49e5-B74A-517210780277}\InProcServer32\ThreadingModel = "Apartment"	dsad22.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2404	dsad22.exe
2404	dsad22.exe
2404	dsad22.exe
2404	dsad22.exe
2404	dsad22.exe
2404	dsad22.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2404	dsad22.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2404	dsad22.exe
2404	dsad22.exe
2404	dsad22.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2404	400	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	85
PID 400 wrote to memory of 2404	400	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	85
PID 400 wrote to memory of 2404	400	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	85
PID 400 wrote to memory of 912	400	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	86
PID 400 wrote to memory of 912	400	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	86
PID 400 wrote to memory of 912	400	45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe	86
PID 2404 wrote to memory of 1140	2404	dsad22.exe	94
PID 2404 wrote to memory of 1140	2404	dsad22.exe	94
PID 2404 wrote to memory of 1140	2404	dsad22.exe	94

C:\Users\Admin\AppData\Local\Temp\45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45bef09086bdc314598d50d123d8e7e6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\dsad22.exe
  "C:\Users\Admin\AppData\Local\Temp\dsad22.exe"
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\43AB.tmp.bat
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\6E79.tmp.bat
  2⤵
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43AB.tmp.bat

Filesize
132B

MD5
7d6249f1cea47ef588608864e84fd46d

SHA1
26b2c209a9ae8d4f4cb992d1c62b76eacc7fb068

SHA256
c162ce6ae94dafef9ad3117fc4012ff0cff660bd0a8f3d4cbf39e79c90844f6f

SHA512
c2d605b18a4c3e7dc91f5fba42c8f23fd6f19c7094badf4ea8747179b160abb359ff0b2d594718702645d5a5e53655df70fce3967afce479a219972e766bde35

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E79.tmp.bat

Filesize
212B

MD5
98d603fcc978424dcbe6d5338fe7589e

SHA1
20c4bd717935e6961f4e034c15497938a0e0259e

SHA256
74d8a7e5ddca101ab989960a7c3f107deff4aa43bfed14efbc1d1e38987b6e1f

SHA512
ba06105b90a8295828f81da72c1a1ec7f45f6fa45ac05185f4f54dbc86644ea17821ad564101364182483354315279d6bb0bee30cc961ca185150f1c59916262

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsad22.exe

Filesize
21KB

MD5
45bef09086bdc314598d50d123d8e7e6

SHA1
520ae4ff7a037079b82120816cfdb3ced0f14d5b

SHA256
6bfbe2c450ac06d912174ffc2dc64f14cf12472d031dd46a40286077dbcc758a

SHA512
5423f0e285153265bb0ba46a1562d87c45ed23dd07557953d11efa48e65dc1f01fa55a0046049e1e57438ae2019c724cd9922a0feee9f859487a9399cbc491dc

Download Submit
C:\Windows\SysWOW64\xbrqqdie.tmp

Filesize
2.1MB

MD5
cbe604514f9ed751bce4d189201307ad

SHA1
666525cf9f20a4e4786401107ec2d249d80b6eb1

SHA256
444991cfb87f39a0204377cc03f44f604b3023256d4e233f3b6705e037c0d755

SHA512
677534e924fa2aa06d8c548e4e390475dacab4c45cdc3fa18ba3ec1fe67c042099a6ffbd66d927a0be30d823732a8019288d7db7c6d477adad78e5a6d8a836b6

Download Submit
memory/400-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/400-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2404-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2404-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2404-26-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads