95ede52ec77a666c2a47e95b2fdac86532404121cc21cbe43ffa40bc5927ed88

General

Target

786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe
Size

18KB
MD5

786108dd67caea8c93afb8814751e30b
SHA1

4ae556cec29e6544c2341bac146fd8467dfb0b36
SHA256

95ede52ec77a666c2a47e95b2fdac86532404121cc21cbe43ffa40bc5927ed88
SHA512

6c9b93c483059c31d2c19b2379564e8ea39f8de775a60a2bbe6da691b69f98bf64cce1ffc781208c3eed4b8e293b47e68bb9ad23c867376c59b4d42b016c8227
SSDEEP

384:Kpj0XRqAO7gvEA+HzI03u521luTfbTHC4WaJ3+NKEnM+gd5Chfa0T:Kh0XRdO7YiUGuc2ffi4WaxjEKkT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2780	FileName.exe
2600	FileName.exe

Loads dropped DLL 5 IoCs

pid	Process
588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe
588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe
588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe
588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe
588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/588-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/files/0x0028000000016d66-20.dat	upx
behavioral1/memory/588-37-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2780-38-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2780-43-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key Name = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\FileName.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 2600	2780	FileName.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileName.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe
2780	FileName.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2836	588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe	30
PID 588 wrote to memory of 2836	588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe	30
PID 588 wrote to memory of 2836	588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe	30
PID 588 wrote to memory of 2836	588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2328	2836	cmd.exe	32
PID 2836 wrote to memory of 2328	2836	cmd.exe	32
PID 2836 wrote to memory of 2328	2836	cmd.exe	32
PID 2836 wrote to memory of 2328	2836	cmd.exe	32
PID 588 wrote to memory of 2780	588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe	33
PID 588 wrote to memory of 2780	588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe	33
PID 588 wrote to memory of 2780	588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe	33
PID 588 wrote to memory of 2780	588	786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe	33
PID 2780 wrote to memory of 2600	2780	FileName.exe	34
PID 2780 wrote to memory of 2600	2780	FileName.exe	34
PID 2780 wrote to memory of 2600	2780	FileName.exe	34
PID 2780 wrote to memory of 2600	2780	FileName.exe	34
PID 2780 wrote to memory of 2600	2780	FileName.exe	34
PID 2780 wrote to memory of 2600	2780	FileName.exe	34

C:\Users\Admin\AppData\Local\Temp\786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\786108dd67caea8c93afb8814751e30b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyZDr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Key Name" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\FileName.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2328
- C:\Users\Admin\AppData\Roaming\Directory\FileName.exe
  "C:\Users\Admin\AppData\Roaming\Directory\FileName.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Roaming\Directory\FileName.exe
    False
    3⤵
    - Executes dropped EXE
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dyZDr.bat

Filesize
146B

MD5
47c24e63751101d4702852578dca9fe0

SHA1
438ac9e25d51faa7ac1f6b5a1b3bbc2fb2f02404

SHA256
459bfe7d375cf90cc7064791441935950ed8994ed81bb95ed03153e5ea27e4bb

SHA512
d24c03a9bdf549e30da4e6297297b55b313e88280c0444fe801ed3b43a4ad08107a0a1cc6790ff256cbc6c770dd2dd5220c16376cb9e6a53d66475fc0d7e0520

Download Submit
\Users\Admin\AppData\Roaming\Directory\FileName.exe

Filesize
18KB

MD5
786108dd67caea8c93afb8814751e30b

SHA1
4ae556cec29e6544c2341bac146fd8467dfb0b36

SHA256
95ede52ec77a666c2a47e95b2fdac86532404121cc21cbe43ffa40bc5927ed88

SHA512
6c9b93c483059c31d2c19b2379564e8ea39f8de775a60a2bbe6da691b69f98bf64cce1ffc781208c3eed4b8e293b47e68bb9ad23c867376c59b4d42b016c8227

Download Submit
memory/588-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/588-34-0x0000000002720000-0x0000000002734000-memory.dmp

Filesize
80KB

Download
memory/588-37-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2780-38-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2780-43-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads