1b733994882c9dfd6a56567db8baf2b6a4799dcfa48cb03ee87f72c0ac9d1e0f

General

Target

67e72b246fa68902935978681fa72358_JaffaCakes118.exe
Size

18KB
MD5

67e72b246fa68902935978681fa72358
SHA1

0729701822bf400660038f06b0c3ab6da58c1351
SHA256

1b733994882c9dfd6a56567db8baf2b6a4799dcfa48cb03ee87f72c0ac9d1e0f
SHA512

4a0cd976bf9d047f5f3ca2b8e6253a53e95dbe5f481b11661a2e6f75c64fbe3b3c830fab3fc153d0e1b098ad3c14300fcc2e9d4fa06b90607ab6f78db62f4440
SSDEEP

384:So3bqfV9APDVizbW2n9KzikSseKiWrt3yV4typa:S8bqfAVizK29OJSsI0Oa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3052	svchost.exe
2116	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2988	67e72b246fa68902935978681fa72358_JaffaCakes118.exe
2988	67e72b246fa68902935978681fa72358_JaffaCakes118.exe
3052	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2988-6-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2988-8-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2988-5-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2116-27-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2116-28-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2116-29-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2116-30-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2116-33-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2116-37-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2116-41-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Network maneger = "C:\\Windows\\system\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network maneger = "C:\\Windows\\system\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2988	2512	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	31
PID 3052 set thread context of 2116	3052	svchost.exe	33

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\svchost.exe	67e72b246fa68902935978681fa72358_JaffaCakes118.exe
File opened for modification	C:\Windows\system\svchost.exe	67e72b246fa68902935978681fa72358_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.dbsarticles.com"	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2988	2512	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	31
PID 2512 wrote to memory of 2988	2512	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	31
PID 2512 wrote to memory of 2988	2512	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	31
PID 2512 wrote to memory of 2988	2512	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	31
PID 2512 wrote to memory of 2988	2512	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	31
PID 2512 wrote to memory of 2988	2512	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	31
PID 2988 wrote to memory of 3052	2988	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	32
PID 2988 wrote to memory of 3052	2988	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	32
PID 2988 wrote to memory of 3052	2988	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	32
PID 2988 wrote to memory of 3052	2988	67e72b246fa68902935978681fa72358_JaffaCakes118.exe	32
PID 3052 wrote to memory of 2116	3052	svchost.exe	33
PID 3052 wrote to memory of 2116	3052	svchost.exe	33
PID 3052 wrote to memory of 2116	3052	svchost.exe	33
PID 3052 wrote to memory of 2116	3052	svchost.exe	33
PID 3052 wrote to memory of 2116	3052	svchost.exe	33
PID 3052 wrote to memory of 2116	3052	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\67e72b246fa68902935978681fa72358_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67e72b246fa68902935978681fa72358_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\67e72b246fa68902935978681fa72358_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\67e72b246fa68902935978681fa72358_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\system\svchost.exe
    "C:\Windows\system\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\system\svchost.exe
      C:\Windows\system\svchost.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies Internet Explorer start page
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\system\svchost.exe

Filesize
18KB

MD5
67e72b246fa68902935978681fa72358

SHA1
0729701822bf400660038f06b0c3ab6da58c1351

SHA256
1b733994882c9dfd6a56567db8baf2b6a4799dcfa48cb03ee87f72c0ac9d1e0f

SHA512
4a0cd976bf9d047f5f3ca2b8e6253a53e95dbe5f481b11661a2e6f75c64fbe3b3c830fab3fc153d0e1b098ad3c14300fcc2e9d4fa06b90607ab6f78db62f4440

Download Submit
memory/2116-30-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2116-27-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2116-28-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2116-29-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2116-33-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2116-37-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2116-41-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2988-8-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2988-5-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2988-2-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2988-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2988-6-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads