80ea5385e4fd0ff0338e18191aa2b880da5955a68497f2ed7b92dfccfec26112

General

Target

4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
Size

392KB
MD5

4ca1ce292ed7f5353656ceac2a6cf65e
SHA1

62fcfc885b2add4908af084d9cee1efd649eb75e
SHA256

80ea5385e4fd0ff0338e18191aa2b880da5955a68497f2ed7b92dfccfec26112
SHA512

9139dbe261393a7ff38eadf275a9cdd4cb484cb7ed617c70554ff1325e7a3d466d4376af638b2a5c02857ea8ee552d8f9e5712e0d27706446ebb687e7d76ba62
SSDEEP

6144:w2KEvF/mge9bW/1N9P9dJUdgwAlBanW3z1ggRO79+gBJEnNAnkOBL:/vFeL9bEdCOwAlBBZh07JXGbGL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
4204	csboyDVD.dll
3060	new_av.exe_BB75EDE1EE50EF7818CA083E52115D6B575BAA10.exe
1456	services.exe
1440	csboyAuTo.dll
2152	services.exe
1976	csboyAuTo.dll
4076	services.exe
4892	csboyTT.dll

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023458-35.dat	upx
behavioral2/memory/1440-38-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1976-51-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1440-53-0x0000000000400000-0x0000000000414000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00070000000234fb-63.dat	vmprotect
behavioral2/memory/4892-65-0x0000000000400000-0x0000000000415000-memory.dmp	vmprotect
behavioral2/memory/4892-71-0x0000000000400000-0x0000000000415000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Services\\services.exe"	csboyAuTo.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Services\\services.exe"	csboyAuTo.dll

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\csboy_ing_Code.ini	services.exe
File created	C:\Program Files\Common Files\Services\csboyDvd.ocx	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\services.exe	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyAuTo.dll	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyTj.ocx	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\csboy_ing_Code.ini	services.exe
File opened for modification	C:\Program Files\Common Files\Services\csboyDVD.dll	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyAuTo.ocx	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyTT.dll	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyDw.ocx	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Services\services.exe	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Services\csboyAuTo.dll	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboybind.au	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Services\csboyTT.dll	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\csboyDVD.dll	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5000	1456	WerFault.exe	88
4212	4076	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1440	csboyAuTo.dll
1440	csboyAuTo.dll
1440	csboyAuTo.dll
1440	csboyAuTo.dll
1440	csboyAuTo.dll
1440	csboyAuTo.dll
1976	csboyAuTo.dll
1976	csboyAuTo.dll
1976	csboyAuTo.dll
1976	csboyAuTo.dll
1976	csboyAuTo.dll
1976	csboyAuTo.dll
4892	csboyTT.dll
4892	csboyTT.dll
4892	csboyTT.dll
4892	csboyTT.dll
4892	csboyTT.dll
4892	csboyTT.dll
4892	csboyTT.dll
4892	csboyTT.dll

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	services.exe
Token: SeDebugPrivilege	4076	services.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3060	new_av.exe_BB75EDE1EE50EF7818CA083E52115D6B575BAA10.exe
3060	new_av.exe_BB75EDE1EE50EF7818CA083E52115D6B575BAA10.exe
3060	new_av.exe_BB75EDE1EE50EF7818CA083E52115D6B575BAA10.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3060	new_av.exe_BB75EDE1EE50EF7818CA083E52115D6B575BAA10.exe
3060	new_av.exe_BB75EDE1EE50EF7818CA083E52115D6B575BAA10.exe
3060	new_av.exe_BB75EDE1EE50EF7818CA083E52115D6B575BAA10.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4892	csboyTT.dll
4892	csboyTT.dll

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 4204	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	86
PID 1632 wrote to memory of 4204	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	86
PID 1632 wrote to memory of 4204	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	86
PID 4204 wrote to memory of 3060	4204	csboyDVD.dll	87
PID 4204 wrote to memory of 3060	4204	csboyDVD.dll	87
PID 4204 wrote to memory of 3060	4204	csboyDVD.dll	87
PID 1632 wrote to memory of 1456	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	88
PID 1632 wrote to memory of 1456	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	88
PID 1632 wrote to memory of 1456	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	88
PID 1632 wrote to memory of 1440	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	89
PID 1632 wrote to memory of 1440	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	89
PID 1632 wrote to memory of 1440	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	89
PID 1440 wrote to memory of 2152	1440	csboyAuTo.dll	90
PID 1440 wrote to memory of 2152	1440	csboyAuTo.dll	90
PID 1440 wrote to memory of 2152	1440	csboyAuTo.dll	90
PID 1976 wrote to memory of 4076	1976	csboyAuTo.dll	92
PID 1976 wrote to memory of 4076	1976	csboyAuTo.dll	92
PID 1976 wrote to memory of 4076	1976	csboyAuTo.dll	92
PID 1632 wrote to memory of 4892	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	98
PID 1632 wrote to memory of 4892	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	98
PID 1632 wrote to memory of 4892	1632	4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ca1ce292ed7f5353656ceac2a6cf65e_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files\Common Files\Services\csboyDVD.dll
  "C:\Program Files\Common Files\Services\csboyDVD.dll"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\new_av.exe_BB75EDE1EE50EF7818CA083E52115D6B575BAA10.exe
    "C:\Users\Admin\AppData\Local\Temp\new_av.exe_BB75EDE1EE50EF7818CA083E52115D6B575BAA10.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3060
- C:\Program Files\Common Files\Services\services.exe
  "C:\Program Files\Common Files\Services\services.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 536
    3⤵
    - Program crash
    PID:5000
- C:\Program Files\Common Files\Services\csboyAuTo.dll
  "C:\Program Files\Common Files\Services\csboyAuTo.dll"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Program Files\Common Files\Services\services.exe
    "C:\Program Files\Common Files\Services\services.exe"
    3⤵
    - Executes dropped EXE
    PID:2152
- C:\Program Files\Common Files\Services\csboyTT.dll
  "C:\Program Files\Common Files\Services\csboyTT.dll"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4892

C:\Program Files\Common Files\Services\csboyAuTo.dll
"C:\Program Files\Common Files\Services\csboyAuTo.dll"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files\Common Files\Services\services.exe
  "C:\Program Files\Common Files\Services\services.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 508
    3⤵
    - Program crash
    PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1456 -ip 1456
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4076 -ip 4076
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Services\csboyAuTo.dll

Filesize
47.7MB

MD5
fcc794601fdce7eb942027675ad8ea63

SHA1
9bfac3d327a1eef5b2e404805297af09c564ccb0

SHA256
72d3bfe7e09c2612a84e75dcd49d574015aca4fc5cdeebd13d6a6fb3a088fdf5

SHA512
7af0933c0d8bd3563a839522122debc8070ca85598f28a972c40fafa08ca2b1aa56367df0950e1ab4309ae93d98edeb650d4edcbf17859beb6b0338a5144e45e

Download Submit
C:\Program Files\Common Files\Services\csboyDVD.dll

Filesize
606KB

MD5
70cf75b9d525ddf0a14f2af56ea32529

SHA1
ff84c3ad6fe27abe36c2a5935b20bd86e6d5e8b1

SHA256
973d2169db06f324d1ef0118d6f111587634d771ac464925f1e5e433ebe4d8a3

SHA512
c6bc31dbf5d89753505a09931abd32a8a99a15f6628de165cbc931ca6e3c4ef51a4fed8f7ffccca3f48968bc6bdcaf8b3f2fb644d1a018d4b26f55291d21ac82

Download Submit
C:\Program Files\Common Files\Services\csboyTT.dll

Filesize
47.7MB

MD5
6e741d2b361c41c7d4b70b1b9fc41e6c

SHA1
f733fe0473093f443a2621d5854eb7c8c70461eb

SHA256
fddc2f174da917ba9fef82744e4ef50f3f3aea38be5b58ab9ce625a98f70ebdc

SHA512
8eea353d98a308f04e8993fe23a9f654ffe7eadfba358e96bd2937ba6ba955cd1b5e5de93fee76fc2e5f4af86797800066540c8eda262d4d2940e22ef016a656

Download Submit
C:\Program Files\Common Files\Services\services.exe

Filesize
47.8MB

MD5
83187b6a1cea93e88cb30973537160e0

SHA1
dcdd22309ffb328007f666465d0e3ac5f7dc1bcc

SHA256
fd5db222f01dec216a3f5da81cfaf6ef3a59451031639f92844b68704facb7a2

SHA512
09badbdce1df1a0aa5773a8356cb9656fb86c855d9e3208d28c5954ad7498f2ab6f4c5a849f6f8fec434fa6555a2cbcbaac097f6a9e7eb33a8e257f38636a7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\new_av.exe_BB75EDE1EE50EF7818CA083E52115D6B575BAA10.exe

Filesize
252KB

MD5
f078d92f8f66da0282182d8dd0aae324

SHA1
b0d4b82066eeabeaefa98313a1eb758d0031b0bd

SHA256
d934ce097cb3619dd5dc686cdbd59df71b83b9fca98842e0b050c97a06c3cb91

SHA512
ea752a3ef4223504b5b30e9484e2ac83886cedc0ae1f5d4dbed6b9059865541c67442402c869462c28f186a0d1237c4ee3076650bf397376ea60f243b63bb7d2

Download Submit
memory/1440-38-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1440-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1456-37-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/1456-57-0x0000000000401000-0x000000000041B000-memory.dmp

Filesize
104KB

Download
memory/1456-25-0x0000000000401000-0x000000000041B000-memory.dmp

Filesize
104KB

Download
memory/1456-27-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/1456-26-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/1456-28-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/1456-23-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/1632-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1632-0-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1976-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2152-41-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/2152-42-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/2152-43-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/3060-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-47-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/4076-48-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/4076-49-0x0000000000400000-0x0000000000431379-memory.dmp

Filesize
196KB

Download
memory/4204-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4204-10-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4204-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4204-30-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4892-65-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4892-71-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads