077c35152c33c53a236cca7814da44ac5efd8e5227c02a2126b1b4d77c439808

General

Target

05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Size

229KB
MD5

05276fec4d22dcdf33b18ca59fcbcc2b
SHA1

81f09ddd31ca6d3bff7eeec1d67f55e407e1a9b5
SHA256

077c35152c33c53a236cca7814da44ac5efd8e5227c02a2126b1b4d77c439808
SHA512

eda72239d3563d5bce76d0fe99f99c29ce63b1cd2e9b9d1774095bea2a3ea3d5bd1996eb825ac08ede68aa2b96f8c8d02980a61c1e1bb95e4dacdfcf3ba05e3c
SSDEEP

3072:U6jI9XJy7rww9WaHHD/n6ppaWiFZIPmhOF0HFZqTTeTTTfqTTTJTTTTTnTTTTTTZ:XUZy0qzn76ppggmhOF0HFZlxU

Score

7^/10

aspackv2 discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000012117-29.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
1844	MSWDM.EXE
1696	MSWDM.EXE
2692	05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE
2756	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1696	MSWDM.EXE
1696	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
File opened for modification	C:\Windows\dev9E42.tmp	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1696	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1844	1900	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	30
PID 1900 wrote to memory of 1844	1900	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	30
PID 1900 wrote to memory of 1844	1900	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	30
PID 1900 wrote to memory of 1844	1900	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	30
PID 1900 wrote to memory of 1696	1900	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	31
PID 1900 wrote to memory of 1696	1900	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	31
PID 1900 wrote to memory of 1696	1900	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	31
PID 1900 wrote to memory of 1696	1900	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	31
PID 1696 wrote to memory of 2692	1696	MSWDM.EXE	32
PID 1696 wrote to memory of 2692	1696	MSWDM.EXE	32
PID 1696 wrote to memory of 2692	1696	MSWDM.EXE	32
PID 1696 wrote to memory of 2692	1696	MSWDM.EXE	32
PID 1696 wrote to memory of 2756	1696	MSWDM.EXE	33
PID 1696 wrote to memory of 2756	1696	MSWDM.EXE	33
PID 1696 wrote to memory of 2756	1696	MSWDM.EXE	33
PID 1696 wrote to memory of 2756	1696	MSWDM.EXE	33

C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1844
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev9E42.tmp!C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE
    3⤵
    - Executes dropped EXE
    PID:2692
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev9E42.tmp!C:\Users\Admin\AppData\Local\Temp\05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE!
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
C:\Windows\MSWDM.EXE

Filesize
48KB

MD5
2cc0c2ba0c6d47e75f86d4257b97bfee

SHA1
3c6682ce02e8d27cae1660331b6aef93e2d1ffba

SHA256
8be865e79fa8a2025e0b8456fae9a4a9fc49fd17b0c6055787a1a8f2bc89bf78

SHA512
856d51b39e7f47701f886bb9e2b56ef3c0368d0b5e46bfd32b1fe08342d2f2e7941ae946ea8f40ff4a9b77ff438b092328a609cae9ebe61595fb55bbfc6914b0

Download Submit
memory/1696-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1696-28-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1696-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-3-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/1900-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2756-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads