48b0eb7494c93ae0a62eca8761334af1d8a1c7e22b3da85536d53a3ec6c40f43

General

Target

8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe
Size

164KB
MD5

8c70b8d05096f429ff0e08c65e3054d0
SHA1

93349363a101bb2eac87f70aa8f083badbfc60b5
SHA256

48b0eb7494c93ae0a62eca8761334af1d8a1c7e22b3da85536d53a3ec6c40f43
SHA512

dd1787523d95f51a284b8778fa0240cf473b501fb433592617d8e41326b2dc70d399f3d3590994dff21acc4b8b1b9a21127dd6557bdaae603d808c4a7db5d65a
SSDEEP

3072:JtOBwK0TlLm8lirVlOJARb1X28BVmXIVWTjj3vfo69c:J8BO61ZlnzuXIVyHI6+

Score

7^/10

discovery persistence upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3840-1-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3840-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4856-12-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4856-13-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3840-116-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5004-117-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5004-119-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3840-198-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 4856	3840	8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe	84
PID 3840 wrote to memory of 4856	3840	8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe	84
PID 3840 wrote to memory of 4856	3840	8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe	84
PID 3840 wrote to memory of 5004	3840	8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe	94
PID 3840 wrote to memory of 5004	3840	8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe	94
PID 3840 wrote to memory of 5004	3840	8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Users\Admin\AppData\Local\Temp\8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8c70b8d05096f429ff0e08c65e3054d0_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1467.FC9

Filesize
996B

MD5
141bd35d1490f2bef6e9277badc7b847

SHA1
3c4f3080d5afed28532aba1da9e7929afce362bf

SHA256
fbb15f590a803936de305127c3c9c7d95d513aea0ea5d1f30ad284a92889818b

SHA512
1ccd4e46ba631132bb3b401092989387b38160685a2ea183f6064f067f96832ea8a56884873d297f81f6a4b27d376ba2ad199be3deef2569224d3773c994314b

Download Submit
C:\Users\Admin\AppData\Roaming\1467.FC9

Filesize
600B

MD5
2ddd7b1e8169684e7fb3b99331aaa477

SHA1
6b8dd2780543c47411ef02a1acaff15d55a8d043

SHA256
027238fefb014a5e2deb8987c4dde60114d9fe1deb6510855534c32857634dcb

SHA512
58225e32067cfc6bf5a490c1b7cb3a948af99638266d9208e5a780ba5d9ade7df69fd24751d16487867a3430af14b5a072e295baddac5930a0ac057995a3c62a

Download Submit
C:\Users\Admin\AppData\Roaming\1467.FC9

Filesize
1KB

MD5
db435347423a4c6d4660cd2168f2bb22

SHA1
1bd581dcc036d8142d86807b4511fc1e567b977c

SHA256
1256896acc35dd7727ecc3785ef0ea75cc1cde5fc784e20f8419e2d40b787459

SHA512
c6b15fe689d3a1b9c2baa23a0831ea9856f52d54a701468025dc0644c0e08f469f522ee45d7612b4a7d871eaefcc052615e3e9e1f696d76ecd6ebd75072776ea

Download Submit
memory/3840-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3840-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3840-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3840-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads