0cc39b29d6dc4cdaf1746026422a16d266a49a3876de2038eef2ff18afb4934a

General

Target

66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe
Size

40KB
MD5

66d01a2635605a707d1daaf71bc99096
SHA1

a802ebbf5d050c272120984bec527ccf1885e3b9
SHA256

0cc39b29d6dc4cdaf1746026422a16d266a49a3876de2038eef2ff18afb4934a
SHA512

add5eaed3848d82bdf83df2fcbacff7024201a1bf001e09a4ad1a8ca9875c853e8eb1e1acc545810e9665ae3f92873be81a51df4bbf96cab5ea11311c14f3bc9
SSDEEP

768:fnxC4FOxnoBKNWOzcqRPLqE4Y9JExiqdRHFFS6ai6uIdG62K:zOKBVUSyE3jH3S6id5N

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000900000002346d-5.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
4228	rundll32.exe
4228	rundll32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2148-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/files/0x000900000002346d-5.dat	upx
behavioral2/memory/2148-19-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4228-23-0x0000000010000000-0x0000000010016000-memory.dmp	upx

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sfcos.dll	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sfcos.dll	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dbgtemp	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dsoundtemp	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ACB.tmp	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 684	2148	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe	84
PID 2148 wrote to memory of 684	2148	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe	84
PID 2148 wrote to memory of 684	2148	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe	84
PID 2148 wrote to memory of 4964	2148	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe	86
PID 2148 wrote to memory of 4964	2148	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe	86
PID 2148 wrote to memory of 4964	2148	66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe	86
PID 4964 wrote to memory of 4228	4964	cmd.exe	88
PID 4964 wrote to memory of 4228	4964	cmd.exe	88
PID 4964 wrote to memory of 4228	4964	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66d01a2635605a707d1daaf71bc99096_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\sfc.exe
  "C:\Windows\system32\sfc.exe" /REVERT
  2⤵
  PID:684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\del.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\s2am.ime,Runed
    3⤵
    - Loads dropped DLL
    - Modifies WinLogon
    PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\8ACB.tmp

Filesize
32KB

MD5
23f20faca066b16be5f34ae38fca7a67

SHA1
90c7c5ab45f80ee280139430270c3f1b2f0bde8d

SHA256
a1068dfcff17a3a5c22664e21f1dd61ec4bcdfd841dd709af500bbfcd697207d

SHA512
8248da9ba55407b5e84d7f69f762c3a54591580a2267dfccdaf5e97a1adfa468d8c4d508c76b9d3d848d4d3998d236e6333198b4ab4e59dd4d59c2b9771ccaa6

Download Submit
C:\Windows\SysWOW64\dbgtemp

Filesize
9KB

MD5
c3545163199f7d12a1339489fd877dd4

SHA1
63f0ad4847aa669a0719ef5cce7031fbf80f6615

SHA256
ebaa703c2d70f0dfd10a5b4b309d64f75db3381df83981af430c3b29d0801c70

SHA512
bd8de961d40c23510778204e89722b24f99456c14cc67be2b358aa4d53b962f17eec9c731558c568126aa245e0b28f4e5f6475f85101490fe7e2123f212393d4

Download Submit
C:\Windows\SysWOW64\dsoundtemp

Filesize
4KB

MD5
e74734d35e56385de26d7877ef34395a

SHA1
0fbedc3043990ce43c87607ed6c79686cb352acf

SHA256
98b73d00985aee2cf76451c63aff1f6b3765ea2f0942427f0fe9731ca98e7083

SHA512
7115be3f75156899e390aff78e1be7f5c6765cac3510f3397012c7e0a6dd9157d0900da5348b6b8a056e1d37fb831e0e80854d517d1e4a779f3b75a3ae962afb

Download Submit
C:\Windows\SysWOW64\sfcos.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
\??\c:\del.bat

Filesize
195B

MD5
da59b0f3a3ce831aa5d53ce168cbec8a

SHA1
2efb1fb3d783b705cb5ca5e7a1082c0e0875ba34

SHA256
e83cd7b3f3fb2aea7f8a670e839b286ec46865b3983d37a088bc160c35e3eb0a

SHA512
103d102626190838e1d0eaa7c23dd3baac3e199fccbebb50bfc894f754eb51da8cbbe0fcd9147e676412ada853b0234f5040d903bc1e8a5aa233c7d01284a12e

Download Submit
memory/2148-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2148-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4228-23-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads