d358711d1febbfb896aa917ba93ff8a7e571fb28e35e036ac0dfb9d2196b182f

General

Target

463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
Size

410KB
MD5

463be2757961fd7fe766461e4ee42e11
SHA1

2df4b38aba0acc6bfc06ae43048bca8d7a7c81b2
SHA256

d358711d1febbfb896aa917ba93ff8a7e571fb28e35e036ac0dfb9d2196b182f
SHA512

efbb833ac4dddfe7b753443769981add7082ba331552e3f7f4c38807bcfffb9cf14c9bc0775a2f5976deb0cff89ff72c113cab1dee8adf6418fe106d4a6e83e3
SSDEEP

12288:fnNhuBoY8SorxgmA+nlvVl/vHgpuGI18dzUG5TK:fPatCg7EPBAp7I18SOTK

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe csrcs.exe"	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs = "C:\\Windows\\system32\\csrcs.exe"	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2180	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	csrcs.exe

Loads dropped DLL 7 IoCs

pid	Process
2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
2892	csrcs.exe
2892	csrcs.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-0-0x0000000000400000-0x0000000000492000-memory.dmp	upx
behavioral1/files/0x000d0000000170f2-13.dat	upx
behavioral1/memory/2088-16-0x0000000005930000-0x00000000059C2000-memory.dmp	upx
behavioral1/memory/2892-31-0x0000000000400000-0x0000000000492000-memory.dmp	upx
behavioral1/memory/2892-51-0x0000000000400000-0x0000000000492000-memory.dmp	upx
behavioral1/memory/2088-62-0x0000000000400000-0x0000000000492000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2892-31-0x0000000000400000-0x0000000000492000-memory.dmp	autoit_exe
behavioral1/memory/2892-51-0x0000000000400000-0x0000000000492000-memory.dmp	autoit_exe
behavioral1/memory/2088-62-0x0000000000400000-0x0000000000492000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrcs.exe	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\csrcs.exe	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2728	PING.EXE
656	PING.EXE
1372	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
2892	csrcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2892	2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2892	2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2892	2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2892	2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe	31
PID 2892 wrote to memory of 2136	2892	csrcs.exe	32
PID 2892 wrote to memory of 2136	2892	csrcs.exe	32
PID 2892 wrote to memory of 2136	2892	csrcs.exe	32
PID 2892 wrote to memory of 2136	2892	csrcs.exe	32
PID 2136 wrote to memory of 2728	2136	cmd.exe	34
PID 2136 wrote to memory of 2728	2136	cmd.exe	34
PID 2136 wrote to memory of 2728	2136	cmd.exe	34
PID 2136 wrote to memory of 2728	2136	cmd.exe	34
PID 2088 wrote to memory of 2180	2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe	35
PID 2088 wrote to memory of 2180	2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe	35
PID 2088 wrote to memory of 2180	2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe	35
PID 2088 wrote to memory of 2180	2088	463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe	35
PID 2180 wrote to memory of 656	2180	cmd.exe	37
PID 2180 wrote to memory of 656	2180	cmd.exe	37
PID 2180 wrote to memory of 656	2180	cmd.exe	37
PID 2180 wrote to memory of 656	2180	cmd.exe	37
PID 2136 wrote to memory of 1372	2136	cmd.exe	38
PID 2136 wrote to memory of 1372	2136	cmd.exe	38
PID 2136 wrote to memory of 1372	2136	cmd.exe	38
PID 2136 wrote to memory of 1372	2136	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\463be2757961fd7fe766461e4ee42e11_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\csrcs.exe
  "C:\Windows\System32\csrcs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2728
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 -w 250 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 -w 250 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\huzivql

Filesize
80KB

MD5
2f4696312daac11660eafb6313d69768

SHA1
bf9b2ecfa2eef2c64ab578bdbbbb0dfb70f75712

SHA256
f28bcc94e4911d22076661684944c2f3fe469d6c1d28dd60cc1752192234f7a8

SHA512
1a50ff9e0a5054ff00b8057de10766de6b68e76ef97f3ea48fa58f6345a40ecef69dc45e3d8e4dc3679ddea4e155b8e131e5878825a8a70feb39877f43e9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
141B

MD5
9d7ddbc6c331aefed77908f803fca1e5

SHA1
d36afa796236730342b216f083c68a39227c13bf

SHA256
19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

SHA512
014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\suicide.bat

Filesize
251B

MD5
d9a28284b56e6ff17ad138267c8455ee

SHA1
1644d91aa2cd79dc34e163cda3f1adc097e167ed

SHA256
0604d1faf58b8096951d95373dd4e6832538903f67612fe2582b5b6e8b3c0ec1

SHA512
b1a3692a183d5d694f71652402e01885d5c019a3dbae442a484922fa039fa48de930f5d5f5c486b2bc29e3e66b32d0b52fb990c5308ccd47c12eeb94a24fa3bf

Download Submit
C:\Windows\SysWOW64\csrcs.exe

Filesize
410KB

MD5
463be2757961fd7fe766461e4ee42e11

SHA1
2df4b38aba0acc6bfc06ae43048bca8d7a7c81b2

SHA256
d358711d1febbfb896aa917ba93ff8a7e571fb28e35e036ac0dfb9d2196b182f

SHA512
efbb833ac4dddfe7b753443769981add7082ba331552e3f7f4c38807bcfffb9cf14c9bc0775a2f5976deb0cff89ff72c113cab1dee8adf6418fe106d4a6e83e3

Download Submit
memory/2088-0-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2088-16-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/2088-29-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/2088-62-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2892-31-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2892-43-0x0000000002DA0000-0x0000000002E32000-memory.dmp

Filesize
584KB

Download
memory/2892-51-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads