077c35152c33c53a236cca7814da44ac5efd8e5227c02a2126b1b4d77c439808

General

Target

05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Size

229KB
MD5

05276fec4d22dcdf33b18ca59fcbcc2b
SHA1

81f09ddd31ca6d3bff7eeec1d67f55e407e1a9b5
SHA256

077c35152c33c53a236cca7814da44ac5efd8e5227c02a2126b1b4d77c439808
SHA512

eda72239d3563d5bce76d0fe99f99c29ce63b1cd2e9b9d1774095bea2a3ea3d5bd1996eb825ac08ede68aa2b96f8c8d02980a61c1e1bb95e4dacdfcf3ba05e3c
SSDEEP

3072:U6jI9XJy7rww9WaHHD/n6ppaWiFZIPmhOF0HFZqTTeTTTfqTTTJTTTTTnTTTTTTZ:XUZy0qzn76ppggmhOF0HFZlxU

Score

7^/10

aspackv2 discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000900000002344f-9.dat	aspack_v212_v242
behavioral2/files/0x00070000000234ac-19.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
3300	MSWDM.EXE
2924	MSWDM.EXE
3480	05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE
2388	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
File opened for modification	C:\Windows\devA7C9.tmp	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
File opened for modification	C:\Windows\devA7C9.tmp	MSWDM.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2924	MSWDM.EXE
2924	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3300	2112	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	84
PID 2112 wrote to memory of 3300	2112	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	84
PID 2112 wrote to memory of 3300	2112	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	84
PID 2112 wrote to memory of 2924	2112	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	85
PID 2112 wrote to memory of 2924	2112	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	85
PID 2112 wrote to memory of 2924	2112	05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe	85
PID 2924 wrote to memory of 3480	2924	MSWDM.EXE	86
PID 2924 wrote to memory of 3480	2924	MSWDM.EXE	86
PID 2924 wrote to memory of 3480	2924	MSWDM.EXE	86
PID 2924 wrote to memory of 2388	2924	MSWDM.EXE	87
PID 2924 wrote to memory of 2388	2924	MSWDM.EXE	87
PID 2924 wrote to memory of 2388	2924	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3300
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devA7C9.tmp!C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe! !
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE
    3⤵
    - Executes dropped EXE
    PID:3480
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devA7C9.tmp!C:\Users\Admin\AppData\Local\Temp\05276FEC4D22DCDF33B18CA59FCBCC2B_JAFFACAKES118.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe

Filesize
229KB

MD5
b90af47d4837e453736496040934457b

SHA1
d9277bfaba433b14eb7383259bdd0789430c069a

SHA256
a0396d0287961c9220777ca2a82b484316f3defb9b385d47d44bf1eb72d2db05

SHA512
acfe4de56feb4de8631d2c44341d83f478b34f3785e5ca66d61f68efe65ffabad7b693f484e82fc3eea78d4aa6349e88578c03e13c766d72f0219aef46518bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\05276fec4d22dcdf33b18ca59fcbcc2b_JaffaCakes118.exe

Filesize
229KB

MD5
efc9d61b9c947685d075197bc9727d52

SHA1
062ee3711784e7675fc2ff7bd9181ea9219fd6a2

SHA256
af8768d3f21f204622ba9b9f077c81dd92ee0ece88087c8091a8cc827bbe28b6

SHA512
5ad8ba37a046273023017a18636cf9e4dee16c486a753464684da123e46d78d9a1e81ed915f38e51d85ff8e717ea344713d20cf20b7f5cb817e4e19509e10c35

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
48KB

MD5
2cc0c2ba0c6d47e75f86d4257b97bfee

SHA1
3c6682ce02e8d27cae1660331b6aef93e2d1ffba

SHA256
8be865e79fa8a2025e0b8456fae9a4a9fc49fd17b0c6055787a1a8f2bc89bf78

SHA512
856d51b39e7f47701f886bb9e2b56ef3c0368d0b5e46bfd32b1fe08342d2f2e7941ae946ea8f40ff4a9b77ff438b092328a609cae9ebe61595fb55bbfc6914b0

Download Submit
C:\Windows\devA7C9.tmp

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
memory/2112-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2112-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2388-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2924-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2924-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3300-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3300-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads