28d2b0173a0b9a8ccc73c0f40ae4be37fd8272432818cc6820462cdff038d584

General

Target

8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
Size

1.4MB
MD5

8c2c226f58e88601b34d59c8ebd4c987
SHA1

69db26ce456559c565103fb362b72bec4409934a
SHA256

28d2b0173a0b9a8ccc73c0f40ae4be37fd8272432818cc6820462cdff038d584
SHA512

f1686c0caa042ef5c9ac0b685b5037ea1368c29bbfacd6135eda5c02a3ef7c989919ec538c92e12fee0a8ddc1f082ed314267d4ca642bc767787bb57a3e9c32d
SSDEEP

24576:1qyk+aDRGujRURnI9krKmsXKSzEnMG9iN8MQCUT9Kkn7/jLztCS6FExvZK8fRcbU:1qyk+aDRiEmsQnMG0N8MZs3nvQFExBiA

Score

7^/10

aspackv2 discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234b7-12.dat	acprotect
behavioral2/files/0x00070000000234bb-18.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00070000000234bd-39.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
5020	calc.exe

Loads dropped DLL 9 IoCs

pid	Process
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234b5-2.dat	upx
behavioral2/memory/5020-4-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/files/0x00070000000234b7-12.dat	upx
behavioral2/memory/5020-13-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral2/files/0x00070000000234bb-18.dat	upx
behavioral2/memory/5020-22-0x00000000021B0000-0x0000000002208000-memory.dmp	upx
behavioral2/memory/5020-21-0x00000000021B0000-0x0000000002208000-memory.dmp	upx
behavioral2/memory/5020-51-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/5020-53-0x00000000021B0000-0x0000000002208000-memory.dmp	upx
behavioral2/memory/5020-52-0x0000000010000000-0x000000001012A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}"	8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}	8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001"	8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "°Ù¶È"	8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.baidu.com/s?wd={searchTerms}&tn=site888_1_pg&cl=3&ie=utf-8"	8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\SearchScopes	8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe
5020	calc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 5020	3696	8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe	85
PID 3696 wrote to memory of 5020	3696	8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe	85
PID 3696 wrote to memory of 5020	3696	8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Users\Admin\AppData\Local\Temp\nss7FA1.tmp\calc.exe
  C:\Users\Admin\AppData\Local\Temp\nss7FA1.tmp\calc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\SkinH_EL.dll

Filesize
107KB

MD5
2c9e22f960ca9c2f4caaa2a37d443eda

SHA1
3b90206f1ebb726013067adba3bc180f3c388f0a

SHA256
fbdb8ece088f95538de2690a630af44709be2c0cc5a1693bb4db2ed71d1661d3

SHA512
e307f5edc36695f10e20692df02fa5de661f7ef57257a2c41cc459cea9430bd162fb9eb7679b19f50e4400abf31413520a0b1a44bfc48261d56a2941094afdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eGrid.fne

Filesize
408KB

MD5
709f1646c30262b9f77a8aa72b29c59f

SHA1
3167a0f7382fdbd7990d63ffc2160b976690f1df

SHA256
7172c513f350e70465f2015e3bfa4e58a1ba69d1bf783c684f40fd8483f1c883

SHA512
3377556481f9c9734fcff765b0d48b38939ac68fe46f7a369fd627acc07d08cfe371847177965b07635c1ad028ff4d03d4bf98505d37233c829d5f996ebabec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\iext.fnr

Filesize
200KB

MD5
c597e19abcd8c10ea2ac0d33c419a93e

SHA1
18df89699e55745ef26bbffafb2ecfc8492a4492

SHA256
5ed76826bd31aa480d6e615da89fd023921810bcdacfdbf5ec090974afe321d6

SHA512
73a9869466e3c59112e22e6ba75f8e4d901fbd6acc6a1c1248963a7371d6a27b197f35ab7605559428262be852291bc78b081259a8a2f0f6ed066be371678c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\iext2.fne

Filesize
113KB

MD5
90598b9170d705d6ba5f4a8fd99359f0

SHA1
154505937c94821696f65c94af869b3393415f6b

SHA256
962dc01fdbe0aa30a0b7c1b235073e8bdf285cceaa7b98e19257d68e5164a0d2

SHA512
7024123f2648258638696a3258932444827dc4ef98453d244d3392e9411369de50a6dc373b2fcc300c9a6a3db9d069f22222168073f632a29dd2c36e1285c000

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
429KB

MD5
4fbc687f3af1e007a5ffabbda393ec7b

SHA1
b714435f7150608adc23d3df4d783bae1066b10e

SHA256
1d4bb9515b54e265985129591a53af9eba38dac98094d352427bd9f819b8c6fe

SHA512
694a43b8cfa41357065f948df1036e954d730038156a079d7528f732b574dc60d0dbd0fc88bbba615e9c26ed04821260a1740f3d15769e8730885a51859d7502

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7FA1.tmp\calc.exe

Filesize
1.3MB

MD5
97e47588a35219417f64ee2184e99118

SHA1
37d77f2594d3a5e81f4aebe0efdc24506b17f542

SHA256
fd20d30fb61ae75dfb715837d811250b2dcce0fc40b2bd3af6533dac50860513

SHA512
39c550d772940d06be3dfdd27ae051a895a2e9887a837131b21ac9470f5e9fb929e8c29d4338cdd8b5406c42973d84546312ac3767c28006a1b77192937bfa1a

Download Submit
memory/5020-33-0x00000000026B0000-0x0000000002725000-memory.dmp

Filesize
468KB

Download
memory/5020-46-0x0000000002781000-0x00000000027C1000-memory.dmp

Filesize
256KB

Download
memory/5020-26-0x0000000002460000-0x00000000024A0000-memory.dmp

Filesize
256KB

Download
memory/5020-22-0x00000000021B0000-0x0000000002208000-memory.dmp

Filesize
352KB

Download
memory/5020-13-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/5020-4-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5020-47-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/5020-21-0x00000000021B0000-0x0000000002208000-memory.dmp

Filesize
352KB

Download
memory/5020-44-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/5020-42-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/5020-51-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5020-53-0x00000000021B0000-0x0000000002208000-memory.dmp

Filesize
352KB

Download
memory/5020-52-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/5020-57-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/5020-58-0x0000000002781000-0x00000000027C1000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing