436ba003e5128d5d183a28e548db670c5545e8ff3df02208c2df6fda4487681d

General

Target

78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe
Size

1.1MB
MD5

78d2f6bc24cce62a2646c2cfa95bf067
SHA1

915fa4a1cab419b8429bf240adaed92ab3f16fe2
SHA256

436ba003e5128d5d183a28e548db670c5545e8ff3df02208c2df6fda4487681d
SHA512

10479b6d793891f877413d9cb8afc75f2557b800e69085843e0a76b2f90ec6a64bedc394c8fcc73310caf312074fa7407a3bd7856761dc8e095fec25f6a68a8e
SSDEEP

24576:7zuEHTzZDVlzNxJQgU4x53Y/K5Cj06Bxh3NKQMf/u474bUA4JdUJ4+b57Hi:PuEzzhV9Bx5o/K5u0659PEmYA+dUJ4+N

Score

7^/10

discovery upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	psf40.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	psf40.exe

Executes dropped EXE 3 IoCs

pid	Process
696	psf40.exe
2088	psf40.exe
1916	AutoRun.exe

Loads dropped DLL 5 IoCs

pid	Process
2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe
2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe
2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe
696	psf40.exe
2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral1/memory/2380-23-0x0000000000400000-0x000000000055B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psf40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psf40.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 696	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	30
PID 2380 wrote to memory of 696	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	30
PID 2380 wrote to memory of 696	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	30
PID 2380 wrote to memory of 696	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1916	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	31
PID 2380 wrote to memory of 1916	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	31
PID 2380 wrote to memory of 1916	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	31
PID 2380 wrote to memory of 1916	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	31
PID 2380 wrote to memory of 1916	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	31
PID 2380 wrote to memory of 1916	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	31
PID 2380 wrote to memory of 1916	2380	78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe	31
PID 696 wrote to memory of 2088	696	psf40.exe	32
PID 696 wrote to memory of 2088	696	psf40.exe	32
PID 696 wrote to memory of 2088	696	psf40.exe	32
PID 696 wrote to memory of 2088	696	psf40.exe	32
PID 696 wrote to memory of 2088	696	psf40.exe	32
PID 696 wrote to memory of 2088	696	psf40.exe	32

C:\Users\Admin\AppData\Local\Temp\78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78d2f6bc24cce62a2646c2cfa95bf067_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\psf40.exe
  "C:\Users\Admin\AppData\Local\Temp\psf40.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\psf40.exe
    "C:\Users\Admin\AppData\Local\Temp\psf40.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2088
- C:\Users\Admin\AppData\Local\Temp\AutoRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoRun.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AutoRun.exe

Filesize
152KB

MD5
d6389bf4a3e28801f44762b3e152f804

SHA1
319715b21c11a5f67bcadcf8dc9dc0fd91b6d9c8

SHA256
b991956d0e629574649846715c2da3c0482f1adf6a0cbb6ddae49a8f226fb1b0

SHA512
a39f264718251a19f91c4333ccbeeb881073db4fbbc6b536a10ea333aedc68b9989767e191da9a7c7fe0dcbf028cfb299c811277cc77fa730043ff0a04a928c5

Download Submit
\Users\Admin\AppData\Local\Temp\psf40.exe

Filesize
1.1MB

MD5
9aa6c95b2cb17369fd4164cd8390df9b

SHA1
c8d5dad443ee1a8623ec990f98276f3ef6f6dfda

SHA256
b3061625023c1d43661ab5a5fe83f319f470b359cdf56996ef08e266a4166ba8

SHA512
a53da91970a49d038ef218b6e457144177f02402c15df7baee9330fe74ba4966b288809e3ea9553dff2931666ae562d9a13524a6d5b4b827243eb67429996e2f

Download Submit
memory/696-39-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/696-40-0x0000000002090000-0x000000000223F000-memory.dmp

Filesize
1.7MB

Download
memory/2088-35-0x0000000002050000-0x0000000002154000-memory.dmp

Filesize
1.0MB

Download
memory/2088-25-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2088-28-0x00000000004CE000-0x00000000004CF000-memory.dmp

Filesize
4KB

Download
memory/2088-29-0x0000000002050000-0x0000000002154000-memory.dmp

Filesize
1.0MB

Download
memory/2088-37-0x0000000002050000-0x0000000002154000-memory.dmp

Filesize
1.0MB

Download
memory/2088-38-0x0000000002050000-0x0000000002154000-memory.dmp

Filesize
1.0MB

Download
memory/2088-41-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2380-23-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2380-0-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2380-11-0x00000000025B0000-0x000000000275F000-memory.dmp

Filesize
1.7MB

Download
memory/2380-10-0x00000000025B0000-0x000000000275F000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing