ccf597c8a10ceffd13b61927b20c901cf1aa2bbc8ab41fc9f2dbf99ae028f7d3

General

Target

49b117f1cf58b88299f9073dc0468530_JaffaCakes118.exe
Size

18KB
MD5

49b117f1cf58b88299f9073dc0468530
SHA1

fbcdff7207589c8a5eebb1fc6752f1ecc18483c9
SHA256

ccf597c8a10ceffd13b61927b20c901cf1aa2bbc8ab41fc9f2dbf99ae028f7d3
SHA512

cec7dfe7acd7b16aa4d22c4a77930ab18340256d31fb1a6dd803adfc39344443e252d5cb8089efe6830f79717d098a7af7dd71c00dbf8ee9596470be72a66cd0
SSDEEP

384:i9dOKPeB6rvxZ5zBKpA5V18VzVZnP4fbQ:QdOKl9Z5dKauznaQ

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/624-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/624-90-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 0f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030106082b060105050703031400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc1d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e70b000000010000000e0000007400680061007700740065000000030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a20000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	49b117f1cf58b88299f9073dc0468530_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 1900000001000000100000005dc45e2cd1845791bdde7600050af510030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a0b000000010000000e00000074006800610077007400650000001d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e71400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc090000000100000016000000301406082b0601050507030106082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c00f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef20000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	49b117f1cf58b88299f9073dc0468530_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 040000000100000010000000069f6979166690021b8c8ca2c3076f3a0f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030106082b060105050703031400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc1d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e70b000000010000000e0000007400680061007700740065000000030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a1900000001000000100000005dc45e2cd1845791bdde7600050af51020000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	49b117f1cf58b88299f9073dc0468530_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A	49b117f1cf58b88299f9073dc0468530_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
624	49b117f1cf58b88299f9073dc0468530_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\49b117f1cf58b88299f9073dc0468530_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49b117f1cf58b88299f9073dc0468530_JaffaCakes118.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f5c6e43b01ef764d2f5f2ffb5196180

SHA1
b864034f906a153aaf85e596825fa4c7af83f38f

SHA256
8ff9ed955b019fe1734b6a8153c55f21d75cc3c37bbd83e6daf2a8f92bc9324a

SHA512
39bf383961cab986ba0500408d0e388d9f5405a8e2b7f414dd64550b2f53cdeeddb89c2b3c250d7fe3df620fc02d8de500bd9b5d57907f8b8a4515e4cd0afdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEDDA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEEE6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/624-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/624-90-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing