f736d0f6e3bbf6e639190bcd7b2c7787d3103521b1bf8447bd3c94c5621e784e

General

Target

77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe
Size

320KB
MD5

77458ddbc3169b5e6330dfb7e71fdc7b
SHA1

924b49be5df2a2b4d7cd0b97b936c9eab3f2d66c
SHA256

f736d0f6e3bbf6e639190bcd7b2c7787d3103521b1bf8447bd3c94c5621e784e
SHA512

de204f0822d1f9a3f1611c7d4d9a8d5f46bc2cbfbdf2471a204be524a930bafee6905fd5c5bfbbe10f106168bbe1de88d2f1b72cd76b9956171a741e661e76cd
SSDEEP

6144:h7/s3wJ27Xwoipg+drRuc9dB99NWW4PYJOXOGwW56lwx5UmXhB8ZegxU:hwm27XlE/drlr9XNjHGw4cU5UmRB8ZxC

Score

8^/10

discovery persistence vmprotect

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AlYacEventDcomRemote\Parameters\ServiceDll = "C:\\Windows\\system32\\npkcoref.dll"	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
724	svchost.exe

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	67.43.161.211
Destination IP	202.30.143.11
Destination IP	67.43.173.7
Destination IP	67.43.161.221
Destination IP	202.30.143.11
Destination IP	67.43.173.7
Destination IP	67.43.173.8
Destination IP	203.240.193.11
Destination IP	67.43.161.221
Destination IP	72.34.255.211
Destination IP	67.43.161.211
Destination IP	67.43.161.221
Destination IP	67.43.173.8
Destination IP	203.240.193.11
Destination IP	203.240.193.11
Destination IP	72.34.255.211
Destination IP	202.30.143.11
Destination IP	67.43.161.221

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/724-30-0x0000000001560000-0x0000000001577000-memory.dmp	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\npkcoref.dll	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\npkcoref.dll	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
5028	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe
5028	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe
724	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5028	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe
Token: SeDebugPrivilege	5028	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe
Token: SeDebugPrivilege	5028	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe
Token: SeDebugPrivilege	5028	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3864	5028	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe	85
PID 5028 wrote to memory of 3864	5028	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe	85
PID 5028 wrote to memory of 3864	5028	77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77458ddbc3169b5e6330dfb7e71fdc7b_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\240620953.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240620953.bat

Filesize
266B

MD5
7716495a21c27f575ada4205761db745

SHA1
a12b72b296536d66774aa0291e96f8a3e7917110

SHA256
a6a4bae7f1d35da80094378c6a3fb90bb46c41340dc395fbda993636a3c1ee6f

SHA512
7f5ca3fb2bce95007d44343f8789dc54afbeedb7e87493b8de22bf46aa71cc6610fbcf307d22e5f2abae879be8907948e02d87d0d07da44f3d039dd81d5cd7be

Download Submit
\??\c:\windows\SysWOW64\npkcoref.dll

Filesize
228KB

MD5
6fbf54b5aa82e21949fcf814e1a0e69d

SHA1
95a8b232be9807123bf4be47860bffdd76c7819f

SHA256
dbf70411e55349a8736d91a89044b688967cf6a9eb5d5230d962a9f235607071

SHA512
c9c8517166ae809f384e606d6b397e2a2a5070e2a31214e756365487789604641a2114ecd24b9cf78b8768e0aafbb27c8339768b8b02480fd95aff5c8b85bd45

Download Submit
memory/724-29-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/724-26-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/724-30-0x0000000001560000-0x0000000001577000-memory.dmp

Filesize
92KB

Download
memory/724-56-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/5028-14-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/5028-10-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/5028-4-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/5028-19-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/5028-25-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/5028-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5028-24-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5028-1-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing