cc30d0840f3109070e558d8c9fc113fc582e8ef91344c74e360ebbe1a62df319

General

Target

7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Size

108KB
MD5

7403f55d628688afbfd7e05cd5c27745
SHA1

db263c0be17efc4c7b53b9badb96df7cfeb4761c
SHA256

cc30d0840f3109070e558d8c9fc113fc582e8ef91344c74e360ebbe1a62df319
SHA512

212408a2293ee837da24bab9584adbe46c5d00a751143088a0d57c71b31e2c05fc26e0bbf7a8886d67dc2cfca1053689cd85e0c00b2df6c5e570d2e4423b6fa1
SSDEEP

3072:ed1qCcXqjW4yRq4XrCoa/5c268NsQA+inB1qpfYU8:edaOjy8Smo1260Q+iB18fY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2684-0-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/files/0x0009000000016d6c-14.dat	upx
behavioral1/memory/2684-33-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\inf\Https.sys	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Wdica.sys	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Https.pnf	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Wdica.sys	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Wdica.hiv	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Https.hiv	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Https.hiv	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Https.sys	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\ws2hlp.PNF	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Https.dll	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Https.pnf	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\ws2hlp.PNF	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Https.dll	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\IME\helps.txt	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Wdica.hiv	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeSecurityPrivilege	2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeBackupPrivilege	2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeRestorePrivilege	2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeDebugPrivilege	2684	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Wdica	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Wdica\ImagePath = "inf\\Wdica.sys"	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\inf\Https.dll

Filesize
129KB

MD5
dd33e18cf7f40aaafda8f28c25346c0e

SHA1
cb2ef2290ba151f5944e00adba0162eedcd4a998

SHA256
59507e06b7f0275c952ac6fc3c1893d647d39fd064685c32b32e18d6fef2d9c5

SHA512
af21637d7ec54c3b9f2a8cec7907e9f21af4f850460e4372ccabcb4c85b742f550ba99442bf98615cb6dcfd8f73b81ce33b68ad10b00d303346500cf40dd543d

Download Submit
C:\Windows\inf\Https.sys

Filesize
16KB

MD5
2de012f51bb1405de2a0252b9ee956d1

SHA1
82ce85a4353bad2a76c50f475de51bd4b5aeb226

SHA256
54cba28e4813b9e3ee154d68bb77b9b5c14aa0a74549cdbfbbabeeb86ccf17fb

SHA512
c7fe6206ea3f3632a19f6c788c77d1d2bc304170b9ebabdc9d398f01e145a8af7ab17973afa3be0c390c2a2e3c3d61babbecbdba504a2b51502d5ff372e79a48

Download Submit
\Windows\IME\helps.txt

Filesize
40KB

MD5
84799328d87b3091a3bdd251e1ad31f9

SHA1
64dbbe8210049f4d762de22525a7fe4313bf99d0

SHA256
f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

SHA512
0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

Download Submit
memory/2684-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2684-33-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing