f626a1fbeac15a4a850001dbe73de91a20e082f32634bd95779b6a555b7a6107

General

Target

81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
Size

614KB
MD5

81cddb98eadb57dc946191f9f24d1f3a
SHA1

e43542c5a46ea0fdf7d646ea4e57f9bd59b3df8b
SHA256

f626a1fbeac15a4a850001dbe73de91a20e082f32634bd95779b6a555b7a6107
SHA512

ce0d67625f56f425244b7e7810f312222fa797379a89ddeb93e7c5fddc67bce2c81c455ef773d161bb4c6e1db6ea1e502ca3d95abaa4f32f2a1444e357d2f6ef
SSDEEP

12288:t2uM6agmvH6UWIgLnihWSfLQLfFVyWfV9:t2uM6agm6UWIgehWScLTyo9

Score

10^/10

discovery evasion persistence privilege_escalation upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5000	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
4856	lsass.exe
3288	lsass.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1736-0-0x0000000000400000-0x000000000049B000-memory.dmp	upx
behavioral2/memory/1736-6-0x0000000000400000-0x000000000049B000-memory.dmp	upx
behavioral2/memory/4856-16-0x0000000000400000-0x000000000049B000-memory.dmp	upx
behavioral2/files/0x000d0000000234bb-13.dat	upx
behavioral2/memory/4856-24-0x0000000000400000-0x000000000049B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 5008	1736	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	86
PID 4856 set thread context of 3288	4856	lsass.exe	90

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1736	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
5008	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
4856	lsass.exe
3288	lsass.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 5008	1736	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	86
PID 1736 wrote to memory of 5008	1736	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	86
PID 1736 wrote to memory of 5008	1736	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	86
PID 1736 wrote to memory of 5008	1736	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	86
PID 1736 wrote to memory of 5008	1736	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	86
PID 1736 wrote to memory of 5008	1736	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	86
PID 1736 wrote to memory of 5008	1736	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	86
PID 1736 wrote to memory of 5008	1736	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	86
PID 5008 wrote to memory of 5000	5008	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	87
PID 5008 wrote to memory of 5000	5008	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	87
PID 5008 wrote to memory of 5000	5008	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	87
PID 5008 wrote to memory of 4856	5008	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	88
PID 5008 wrote to memory of 4856	5008	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	88
PID 5008 wrote to memory of 4856	5008	81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe	88
PID 4856 wrote to memory of 3288	4856	lsass.exe	90
PID 4856 wrote to memory of 3288	4856	lsass.exe	90
PID 4856 wrote to memory of 3288	4856	lsass.exe	90
PID 4856 wrote to memory of 3288	4856	lsass.exe	90
PID 4856 wrote to memory of 3288	4856	lsass.exe	90
PID 4856 wrote to memory of 3288	4856	lsass.exe	90
PID 4856 wrote to memory of 3288	4856	lsass.exe	90
PID 4856 wrote to memory of 3288	4856	lsass.exe	90

C:\Users\Admin\AppData\Local\Temp\81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5000
- - C:\Users\Admin\AppData\Roaming\lsass.exe
    /d C:\Users\Admin\AppData\Local\Temp\81cddb98eadb57dc946191f9f24d1f3a_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Users\Admin\AppData\Roaming\lsass.exe
      "C:\Users\Admin\AppData\Roaming\lsass.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
614KB

MD5
78a3ef7972b306b1749a0ecb54423c49

SHA1
8733b33111a902d22817a9970e5bbea793cbef11

SHA256
49e7146cdd0d9c18664a3bf0198e89a84b525138946d07f9b86f2c377069e5b4

SHA512
079294642a97c9eeb470bd0c19c3a3716ba7ee61257e526822c717bcbdb2eb045696c44ccdce5bc2e29222b91c451f9f22384e8948794f92ebb31e2574300bb1

Download Submit
memory/1736-6-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1736-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3288-29-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3288-27-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3288-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3288-35-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3288-39-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4856-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4856-24-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5008-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5008-19-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5008-3-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads