cc74da59ac86b951ed556f5f2ce5e9da4eb61c21f11209cf043a0d29bef69876

General

Target

88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe
Size

135KB
MD5

88420113af3853846fe8915b5d0fc75f
SHA1

7c38abddb79a2cc35bab069cbfcf6d16fc9b9eeb
SHA256

cc74da59ac86b951ed556f5f2ce5e9da4eb61c21f11209cf043a0d29bef69876
SHA512

b72e5d95b0e153064ed5483330ebfa6edaacf3bc2d769feb62cc9abcc52f9dd02e2844440be7382057d214699b00539f1d8aed6e0f09eb79c0188941956f9b6f
SSDEEP

3072:S9kcc/OJTMw6Rgo5SBzLpqpBhQRHVegXIDzZwt7Q:S9k1/S4wN6SlFqbu1eFDzCt7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2224	svchost.exe
2352	Keygen.exe

Loads dropped DLL 10 IoCs

pid	Process
2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe
2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe
2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe
2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2352	Keygen.exe
2352	Keygen.exe
2352	Keygen.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012286-3.dat	upx
behavioral1/files/0x00080000000162e3-29.dat	upx
behavioral1/memory/2352-21-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2224-13-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2352-109-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2968-110-0x0000000000940000-0x000000000096C000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2372	2224	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2224	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2224	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2224	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2224	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2224	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2224	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2224	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2224	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2352	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2352	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2352	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2352	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2352	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2352	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	31
PID 2968 wrote to memory of 2352	2968	88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2372	2224	svchost.exe	32
PID 2224 wrote to memory of 2372	2224	svchost.exe	32
PID 2224 wrote to memory of 2372	2224	svchost.exe	32
PID 2224 wrote to memory of 2372	2224	svchost.exe	32
PID 2224 wrote to memory of 2372	2224	svchost.exe	32
PID 2224 wrote to memory of 2372	2224	svchost.exe	32
PID 2224 wrote to memory of 2372	2224	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\88420113af3853846fe8915b5d0fc75f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 392
    3⤵
    - Program crash
    PID:2372
- C:\Users\Admin\AppData\Local\Temp\Keygen.exe
  C:\Users\Admin\AppData\Local\Temp\Keygen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
11KB

MD5
ba132df9edc0a6a68fde0eda7250d30e

SHA1
4bbfdfb26711d1b747a23a012dd661238ca3c082

SHA256
5f41354e53c9aa4c85ee567aa17f3aeb25563dc87f308c83ddfa5e7cdca7bdca

SHA512
5d08bb742263244071e3f68c56d90989c9f16800c525c8aa923377373da985fd3d32e7b6ed5716e0a458429784bd2ecacb7ac92dd9a761ae7e33e6b75c330ae6

Download Submit
\Users\Admin\AppData\Local\Temp\Keygen.exe

Filesize
16KB

MD5
9b578fd26c3fbe4b720c9ab2e3556924

SHA1
7e4395344a02ffa469bac8cbbd82ccd1d7f5f7ba

SHA256
1fb4df7d07ed8e55b10da166f28dd493a08ff6cf43ef5ca56693e252c4369deb

SHA512
dca17c52d9d76d51e11b819e7ac09de12a823415a8bb7fae32d101cc86516c4da3c07aa863181d490e33e5b43668f1b986f6d22840c12d21d60882cb942e7b25

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
56KB

MD5
e1d300e107fdf1d777e2f6f99fe438d2

SHA1
82ede37d811b55cd50cdf3f50b4e16e3d529d6ab

SHA256
7a6a67678f6c6df657aabef24a48577ce0b8197a05e16468ce01a01b70d38722

SHA512
59541b8e07eedbe79a1ade7befd8ee1dc966998848d96518133060e50b7ae96dedd24d79e23da802d17d83a281424ce4f1b6d332a6a2d7368123a0924bcf05a1

Download Submit
memory/2224-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2224-103-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2224-102-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2224-108-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2352-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2352-42-0x0000000000020000-0x000000000002F000-memory.dmp

Filesize
60KB

Download
memory/2352-109-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2968-20-0x0000000000940000-0x000000000094F000-memory.dmp

Filesize
60KB

Download
memory/2968-19-0x0000000000940000-0x000000000094F000-memory.dmp

Filesize
60KB

Download
memory/2968-10-0x0000000000940000-0x000000000096C000-memory.dmp

Filesize
176KB

Download
memory/2968-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-110-0x0000000000940000-0x000000000096C000-memory.dmp

Filesize
176KB

Download
memory/2968-111-0x0000000000940000-0x000000000094F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing