f666f0a9a589940ce6087f94645a1f2f811cd99febf3e0a2d132e05e99e6770d

General

Target

5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe
Size

301KB
MD5

5f04fcbd39bf41375a777256a9be36b4
SHA1

b31832d94a1ad1a419b68b2de494351dffd82cb8
SHA256

f666f0a9a589940ce6087f94645a1f2f811cd99febf3e0a2d132e05e99e6770d
SHA512

81e1175677fe9909973fd7cf350767d8f4b403d8c999731551ff9d407bf1c75b8927e661b3ffd2a03d6ae4d2b691aaf3950c64ee8f79f1eb7c3e7691590a6f19
SSDEEP

6144:qSBkA6sFHiMo28cApnULfnK6vaLjC8zDGI6KV8JtDM5jHE0:KsFCS6pnULfK6vijn4Mee

Score

7^/10

aspackv2 evasion trojan

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00080000000174a8-11.dat	aspack_v212_v242
behavioral1/files/0x00090000000122db-23.dat	aspack_v212_v242

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2720	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2092	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe
2092	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 292	2092	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe	31
PID 2092 wrote to memory of 292	2092	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe	31
PID 2092 wrote to memory of 292	2092	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe	31
PID 2092 wrote to memory of 292	2092	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2140	2092	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2140	2092	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2140	2092	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2140	2092	5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe	33
PID 2140 wrote to memory of 2720	2140	cmd.exe	35
PID 2140 wrote to memory of 2720	2140	cmd.exe	35
PID 2140 wrote to memory of 2720	2140	cmd.exe	35
PID 2140 wrote to memory of 2720	2140	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f04fcbd39bf41375a777256a9be36b4_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\qqqqqq.bat
  2⤵
  PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\aaaaaaa.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aaaaaaa.001

Filesize
301KB

MD5
84b0d8ab991ea1c9733e426d16299976

SHA1
9afa7c0087cfff8de7bf8f4f7a8e5558159d6e8e

SHA256
b0ca3b90de3b3083da2e3eae183c65326a482d17cdc6bb9d60a64d59b5e1ae18

SHA512
81505b391c3017035a712e2a4a41de4b0d9cbcb152d630672d46a9f33829ae69be6e1bde139e7b02d0198d473fbc67a71c537935583050175f38d71f1ca0ca85

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaaaaaa.002

Filesize
145B

MD5
0f64180de162f60d23ae8d14c6fdf0bb

SHA1
0eb16b7ef3efdf80ce5e823e4542515dbfcdea14

SHA256
3c2192629460a97ccbe623c489b225f3cc66fa5ce2c023da575bec52ab151495

SHA512
674794b74b4100d72d33a6c9171670fe21515c73f865650e8df19fe666ad8408b29ce1921d51358f888a757971fa70ef2943337257efa5c37ce39ac66324cd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaaaaaa.bat

Filesize
272B

MD5
c600ad71504c39f33cea81e314226bbe

SHA1
7f965b4b7080546c357aa9754eb02eae4132dc7a

SHA256
24e827cce42493a9e2076b9c2ae35a799e4ad680d8c02e9f7ad31d43d26d7bc6

SHA512
fbc71f022e9deb6ad20b05f998218eb228083469e784e2c20e5a97cf4a085d05147a3a30e8b97f9b61ba434f5821a52d45b11afef9d4fdab54d2ee323d517594

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaaaaaa.exe

Filesize
301KB

MD5
5f04fcbd39bf41375a777256a9be36b4

SHA1
b31832d94a1ad1a419b68b2de494351dffd82cb8

SHA256
f666f0a9a589940ce6087f94645a1f2f811cd99febf3e0a2d132e05e99e6770d

SHA512
81e1175677fe9909973fd7cf350767d8f4b403d8c999731551ff9d407bf1c75b8927e661b3ffd2a03d6ae4d2b691aaf3950c64ee8f79f1eb7c3e7691590a6f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqqqqq.bat

Filesize
196B

MD5
ee2e4bb9b48be7ecfb2407ed6f63ffb1

SHA1
13b78b108ddaf7a815074eb54493d6c89b9be997

SHA256
cf636e707f01a9eeeb586e360bfe06abb294fa7e6597fdcc888663747161de28

SHA512
406d78bdfebc87bd922e3f90deefe2c61efce2aeb79585af6a991fdff395388e05c6973a395faa1541ae90d8db7f4d67847f356c793f627a6d1468dcd08136ba

Download Submit
memory/2092-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2092-25-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2092-27-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing