3e5e2a598e92c8183b058b6519971b74e68afab38fb15b95306a9a07e074bd2b

General

Target

8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe
Size

85KB
MD5

8c37bd4a2d02381b56442be140827bf5
SHA1

44aa3edfa2141f4df3ae034891721da0f0e28fc3
SHA256

3e5e2a598e92c8183b058b6519971b74e68afab38fb15b95306a9a07e074bd2b
SHA512

8c40e274167c9a669a1732589554d2d04e2b7a2a6a5b60ea7fdd2b59211c92ba2080622b9e12deb1fefe80a5c2396c67dcbd7d396d18c2a2c7d972aa58e38b89
SSDEEP

1536:bsRzq2fhbp1pl7uMN5GFUUCJHTieoKF34he4Zh6pN50SUYSKTbsywzebTNIj4NY:zt2UCxOeoKFAbO03qCavNDNY

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svcnost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\roaming\xu1v2dq1iagmuchxgykswyz1cuqb1pjo2\svcnost.exe = "c:\\users\\admin\\appdata\\roaming\\xu1v2dq1iagmuchxgykswyz1cuqb1pjo2\\svcnost.exe:*:Enabled:ldrsoft"	svcnost.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2060	svcnost.exe
2060	svcnost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2428-9-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2428-12-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2428-11-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2428-10-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2428-6-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2428-3-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2428-2-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2060-25-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2428-27-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2060-40-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\xu1v2dq1iagmuchxgykswyz1cuqb1pjo2\\svcnost.exe\""	8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\desktop.ini	svcnost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\desktop.ini	svcnost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 2428	1780	8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe	30
PID 2076 set thread context of 2060	2076	svcnost.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcnost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcnost.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry	svcnost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\SavedLegacySettingsML = 353830353830363231	svcnost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2428	8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2428	8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2428	1780	8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2428	1780	8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2428	1780	8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2428	1780	8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2428	1780	8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2428	1780	8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2428	1780	8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2428	1780	8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2076	2428	8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe	32
PID 2428 wrote to memory of 2076	2428	8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe	32
PID 2428 wrote to memory of 2076	2428	8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe	32
PID 2428 wrote to memory of 2076	2428	8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe	32
PID 2076 wrote to memory of 2060	2076	svcnost.exe	33
PID 2076 wrote to memory of 2060	2076	svcnost.exe	33
PID 2076 wrote to memory of 2060	2076	svcnost.exe	33
PID 2076 wrote to memory of 2060	2076	svcnost.exe	33
PID 2076 wrote to memory of 2060	2076	svcnost.exe	33
PID 2076 wrote to memory of 2060	2076	svcnost.exe	33
PID 2076 wrote to memory of 2060	2076	svcnost.exe	33
PID 2076 wrote to memory of 2060	2076	svcnost.exe	33

C:\Users\Admin\AppData\Local\Temp\8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c37bd4a2d02381b56442be140827bf5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- \??\c:\users\admin\appdata\local\temp\8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe
  "c:\users\admin\appdata\local\temp\8c37bd4a2d02381b56442be140827bf5_jaffacakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Roaming\xu1v2dq1iagmuchxgykswyz1cuqb1pjo2\svcnost.exe
    "C:\Users\Admin\AppData\Roaming\xu1v2dq1iagmuchxgykswyz1cuqb1pjo2\svcnost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - \??\c:\users\admin\appdata\roaming\xu1v2dq1iagmuchxgykswyz1cuqb1pjo2\svcnost.exe
      "c:\users\admin\appdata\roaming\xu1v2dq1iagmuchxgykswyz1cuqb1pjo2\svcnost.exe"
      4⤵
      Modifies firewall policy service
      Loads dropped DLL
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\desktop.ini

Filesize
9KB

MD5
4a27242b307c6a836993353035fafc16

SHA1
5fea7a41b8f9071848108015d8a952e6f944eea0

SHA256
02fd93f64bda51e1e2991184cac13f077d509712e462c9e44be9cf8e22c06de1

SHA512
35e9c87642b82df2bf0a9312bb0e9abfb98282db1e34032a4d0150d82c5e2f2e13150ddc896f1e954f02288a1e696a4306ee595b94b1e404c6ec17bac64c44be

Download Submit
\Users\Admin\AppData\Roaming\ntuser.dat

Filesize
54KB

MD5
7e8e966927e04a35aec644602b8a9e05

SHA1
d201b0b41e8701818d60ddbf9f334332a512c4da

SHA256
46f18d9fbf63f378d86962cbf24f5ce57ce257555acd4effdcc41c1e2f1adf5c

SHA512
246777c79129a5076b71ca5d3f7e59b06d344f6b5e771892ae8ee68c0b5af9207cd1868b1336b49e6a84665309ad379a33ec6c8e72d7ce41de72153637921a51

Download Submit
memory/1780-7-0x0000000000400000-0x0000000000418030-memory.dmp

Filesize
96KB

Download
memory/2060-42-0x0000000000250000-0x000000000026D000-memory.dmp

Filesize
116KB

Download
memory/2060-40-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2060-30-0x0000000000250000-0x000000000026D000-memory.dmp

Filesize
116KB

Download
memory/2060-25-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2076-20-0x0000000000400000-0x0000000000418030-memory.dmp

Filesize
96KB

Download
memory/2428-2-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2428-0-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2428-3-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2428-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-27-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2428-6-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2428-10-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2428-11-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2428-12-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2428-9-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads