f22b240562fa7b29df048f26a74b160636fc228e171171044fd31efd0cb8b5de

General

Target

671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe
Size

57KB
MD5

671ab890dfe84bcc231ced7533e8f2ed
SHA1

e826097c31594bc3667adca214753428b3fcab11
SHA256

f22b240562fa7b29df048f26a74b160636fc228e171171044fd31efd0cb8b5de
SHA512

a818fd508a6524efa2a3911475334a713f3a7c301b4557054aefebf60e7841eb985793249a7ba756190ac2c1430b11689569e3ce366fe9b61d8149a2ffa127b9
SSDEEP

1536:ZsI3lnT5xNHAFC7Mm4Pr1GEpN0soRaXmCBu:rThWCAm4ppN0soA

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00090000000234f9-30.dat	aspack_v212_v242

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system32\\671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system32\\671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system32\\671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system32\\671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system32\\671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe"	regedit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\msapps\msapp.dll	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe
File opened for modification	C:\Windows\msapps\msapp.dll	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe

Runs .reg file with regedit 5 IoCs

pid	Process
1096	regedit.exe
4528	regedit.exe
732	regedit.exe
4680	regedit.exe
2544	regedit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1096	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	85
PID 2124 wrote to memory of 1096	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	85
PID 2124 wrote to memory of 1096	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	85
PID 2124 wrote to memory of 4528	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	96
PID 2124 wrote to memory of 4528	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	96
PID 2124 wrote to memory of 4528	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	96
PID 2124 wrote to memory of 732	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	99
PID 2124 wrote to memory of 732	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	99
PID 2124 wrote to memory of 732	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	99
PID 2124 wrote to memory of 4680	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	101
PID 2124 wrote to memory of 4680	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	101
PID 2124 wrote to memory of 4680	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	101
PID 2124 wrote to memory of 2544	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	109
PID 2124 wrote to memory of 2544	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	109
PID 2124 wrote to memory of 2544	2124	671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe	109

C:\Users\Admin\AppData\Local\Temp\671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windowssharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1096
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windowssharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4528
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windowssharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:732
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windowssharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4680
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windowssharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\671ab890dfe84bcc231ced7533e8f2ed_JaffaCakes118.exe

Filesize
57KB

MD5
671ab890dfe84bcc231ced7533e8f2ed

SHA1
e826097c31594bc3667adca214753428b3fcab11

SHA256
f22b240562fa7b29df048f26a74b160636fc228e171171044fd31efd0cb8b5de

SHA512
a818fd508a6524efa2a3911475334a713f3a7c301b4557054aefebf60e7841eb985793249a7ba756190ac2c1430b11689569e3ce366fe9b61d8149a2ffa127b9

Download Submit
C:\Windows\msapps\msapp.dll

Filesize
1KB

MD5
bcba9d21cdf4dc5684529857941cff22

SHA1
c1542b62871eea55ec5d30ff5d6482c6c59d89b0

SHA256
1c43edf58e344db8e22bd38c1fc8427f125bb03d9bdf37d2a61aff3299912bcb

SHA512
1a024ef62dbc44ebed36dd28c23a6fddf28888aaed6132cb16b878aed8cd43bfcf5cf48b5460e8fa65735727447f629642a50fae11c98c49f8d5c4ee6d0e30fc

Download Submit
C:\Windowssharedapp.reg

Filesize
198B

MD5
998da4615c96b784dc97a3b0a101d0a2

SHA1
5d98e609557ab79ab39d5fbef66d232738c1f1fc

SHA256
e2e46f90d144ac70cfe2221b89e8440e76f86215b3818b45c67d792919e3cf89

SHA512
7ff44d838dd772a1f91a08c5d2f833fcf5a431b9d92c31b83e224744ab75bb8dbcc46c982c6000920264b6108edc2ad0d27ca31fd68ad5baeca389c3011b2879

Download Submit
memory/2124-4-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2124-6-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2124-11-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2124-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2124-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2124-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2124-25-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2124-27-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2124-32-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads