b396e362c1d32d61fb654c2766025fcb8a86bc26776ad1f478ffb43a4bfc8878

General

Target

8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe
Size

48KB
MD5

8605a1a556926842a95ab84eda97af74
SHA1

670b9eeac6080b26541ede974941fc7032e13c6d
SHA256

b396e362c1d32d61fb654c2766025fcb8a86bc26776ad1f478ffb43a4bfc8878
SHA512

50b9f2fd804465bcc149174d45c81bdede5a2f7cf98b99cda88b6f1110710acb8a21a01f5f1d7c6e7c4db4e4679a9a2afef6dd2ad52538eee246de49a47f11fb
SSDEEP

768:jVhHmMth6A4Uq6y+KkIP8c5+L/xa7JABVS06lyuoNDCktKXjlyoqpkXf:jzHmMthuUq9+Kk48C+QJAuoNgXjlyo6k

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2316	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1884	bill102.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x00080000000120ff-15.dat	upx
behavioral1/memory/2940-18-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2940-8-0x0000000000290000-0x00000000002B2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysfbtray = "c:\\windows\\bill102.exe"	bill102.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bill102.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\bill102.exe	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe
File created	\??\c:\windows\bill102.exe	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe
File created	C:\Windows\dxxdv34567.bat	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1036	1884	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bill102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	bill102.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\tp = "1000"	bill102.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1884	2940	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe	31
PID 2940 wrote to memory of 1884	2940	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe	31
PID 2940 wrote to memory of 1884	2940	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe	31
PID 2940 wrote to memory of 1884	2940	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2316	2940	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe	32
PID 2940 wrote to memory of 2316	2940	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe	32
PID 2940 wrote to memory of 2316	2940	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe	32
PID 2940 wrote to memory of 2316	2940	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe	32
PID 1884 wrote to memory of 1036	1884	bill102.exe	34
PID 1884 wrote to memory of 1036	1884	bill102.exe	34
PID 1884 wrote to memory of 1036	1884	bill102.exe	34
PID 1884 wrote to memory of 1036	1884	bill102.exe	34

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8605a1a556926842a95ab84eda97af74_JaffaCakes118.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2940
- \??\c:\windows\bill102.exe
  c:\windows\bill102.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 612
    3⤵
    - Program crash
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\dxxdv34567.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bill102.exe

Filesize
48KB

MD5
8605a1a556926842a95ab84eda97af74

SHA1
670b9eeac6080b26541ede974941fc7032e13c6d

SHA256
b396e362c1d32d61fb654c2766025fcb8a86bc26776ad1f478ffb43a4bfc8878

SHA512
50b9f2fd804465bcc149174d45c81bdede5a2f7cf98b99cda88b6f1110710acb8a21a01f5f1d7c6e7c4db4e4679a9a2afef6dd2ad52538eee246de49a47f11fb

Download Submit
C:\Windows\dxxdv34567.bat

Filesize
277B

MD5
2b998e585185c414d80ff44353e5dcd9

SHA1
7fd5b5a1f84ed00f57644eb87d36076a9721b915

SHA256
8a02487d5946c099a34403044253ae5dbebf69313ed33b68bb4e4fb62a7d59e4

SHA512
01b75b85753d3a795f7b0485ee009f783093b2c0738030c2bfbe5215fe4934d95d02522cc6329ce64e53255c87e7ffb7308a52425184fd55d181577a8700efba

Download Submit
memory/2940-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2940-14-0x0000000000290000-0x00000000002B2000-memory.dmp

Filesize
136KB

Download
memory/2940-18-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2940-8-0x0000000000290000-0x00000000002B2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads