479fbfe6c4f9aec101b4d43bf7584342ec5a26ea79154d08b0eb9fc3ec67663c

Reason

Machine shutdown

General

Target

95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Size

1.0MB
MD5

95cd8a4e9a5ee01a279ca8bd7543c441
SHA1

8eb50da7d6272940f1f024176c718a63758571bf
SHA256

479fbfe6c4f9aec101b4d43bf7584342ec5a26ea79154d08b0eb9fc3ec67663c
SHA512

182045368f6b8c2f9b6f0faca6999c42c0440cadcbe5abe3cfd20a3a22ac1b43a52a5878a2d651f31969fa0e5566810b8763844fcff585efb0b84e79e4e10131
SSDEEP

24576:sDTbM9Lz6497L3li89RwporXjQSk64Dc:ETQ9f6I7LlBLQSkHD

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\qaBhMN5DK0F3.pspro --run"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2968	qaBhMN5DK0F3.pspro

Executes dropped EXE 1 IoCs

pid	Process
2968	qaBhMN5DK0F3.pspro

Loads dropped DLL 2 IoCs

pid	Process
1412	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
1412	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1412-1-0x0000000000400000-0x0000000000745000-memory.dmp	upx
behavioral1/memory/1412-2-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/1412-4-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/1412-12-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/1412-13-0x0000000000400000-0x0000000000745000-memory.dmp	upx
behavioral1/memory/2968-15-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-17-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-18-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-19-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-20-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-21-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-22-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-23-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-24-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-25-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-26-0x0000000000400000-0x0000000000757000-memory.dmp	upx
behavioral1/memory/2968-27-0x0000000000400000-0x0000000000757000-memory.dmp	upx

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaBhMN5DK0F3.pspro = "C:\\ProgramData\\qaBhMN5DK0F3.pspro --run"	qaBhMN5DK0F3.pspro

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qaBhMN5DK0F3.pspro

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pspro	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PSP	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PSP\shell	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PSP\shell\open\command\ = "\"C:\\ProgramData\\\" --startexe \"%1\""	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PSP\shell\open\command\ = "\"C:\\ProgramData\\qaBhMN5DK0F3.pspro\" --startexe \"%1\""	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PSP\DefaultIcon\ = "%1"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "PSP"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pspro\ = "exefile"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pspro\Content Type = "application/x-msdownload"	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PSP\shell\open\command	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PSP\shell\open	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PSP\DefaultIcon	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2968	qaBhMN5DK0F3.pspro
2968	qaBhMN5DK0F3.pspro

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2968	1412	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe	31
PID 1412 wrote to memory of 2968	1412	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe	31
PID 1412 wrote to memory of 2968	1412	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe	31
PID 1412 wrote to memory of 2968	1412	95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412
- C:\ProgramData\qaBhMN5DK0F3.pspro
  "C:\ProgramData\qaBhMN5DK0F3.pspro" --run --delete "C:\Users\Admin\AppData\Local\Temp\95cd8a4e9a5ee01a279ca8bd7543c441_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\qaBhMN5DK0F3.pspro

Filesize
1.0MB

MD5
95cd8a4e9a5ee01a279ca8bd7543c441

SHA1
8eb50da7d6272940f1f024176c718a63758571bf

SHA256
479fbfe6c4f9aec101b4d43bf7584342ec5a26ea79154d08b0eb9fc3ec67663c

SHA512
182045368f6b8c2f9b6f0faca6999c42c0440cadcbe5abe3cfd20a3a22ac1b43a52a5878a2d651f31969fa0e5566810b8763844fcff585efb0b84e79e4e10131

Download Submit
memory/1412-0-0x0000000000760000-0x0000000000803000-memory.dmp

Filesize
652KB

Download
memory/1412-1-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/1412-2-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/1412-4-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/1412-12-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/1412-13-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2968-18-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-15-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-17-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-14-0x0000000000230000-0x00000000002D3000-memory.dmp

Filesize
652KB

Download
memory/2968-19-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-20-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-21-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-22-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-23-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-24-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-25-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-26-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download
memory/2968-27-0x0000000000400000-0x0000000000757000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads