1f3f62f463864cf4ed2d35f3d2b2d3ed1cf6a38c206bf19b5f3227496a4eb19f

General

Target

a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
Size

236KB
MD5

a14124a3f85e4b827de7fc26f3f8a486
SHA1

297681b8de6ba22ddadae836772f41126565dc77
SHA256

1f3f62f463864cf4ed2d35f3d2b2d3ed1cf6a38c206bf19b5f3227496a4eb19f
SHA512

c4eff1395ff4321a09791f8581f0e86f2d72ce968a3da779ab9ce94f70b2e0ab830d340a10993fa0d3e241326269f021f78223e8ce4e5cd81d88b735b7ebdebd
SSDEEP

6144:hZiKocSHVJgztFoJqu4rspWcDXH4xU38PYuHSnzvQ/+:ijbHV2ZspbDXYxq8wuMzvV

Score

8^/10

aspackv2 defense_evasion discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\Legacy VGA Drivers V1.0	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\Legacy VGA Drivers V1.0\StubPath = "C:\\Windows\\certproc32.exe"	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\Legacy VGA Drivers V1.0	certproc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\Legacy VGA Drivers V1.0\StubPath = "C:\\Windows\\certproc32.exe"	certproc32.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00080000000234cb-26.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4784	certproc32.exe

Loads dropped DLL 1 IoCs

pid	Process
4784	certproc32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Legacy VGA Drivers V1.0 = "C:\\Windows\\certproc32.exe"	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Legacy VGA Drivers V1.0 = "C:\\Windows\\certproc32.exe"	certproc32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\certproc32.exe	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
File created	C:\Windows\jtcres32.dll	certproc32.exe
File created	C:\Windows\mapisrv32.dll	certproc32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certproc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4784	certproc32.exe
4784	certproc32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4784	2924	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	96
PID 2924 wrote to memory of 4784	2924	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	96
PID 2924 wrote to memory of 4784	2924	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	96
PID 2924 wrote to memory of 4384	2924	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	98
PID 2924 wrote to memory of 4384	2924	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	98
PID 2924 wrote to memory of 4384	2924	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	98
PID 4784 wrote to memory of 3480	4784	certproc32.exe	56
PID 4784 wrote to memory of 3904	4784	certproc32.exe	100
PID 4784 wrote to memory of 3904	4784	certproc32.exe	100
PID 4784 wrote to memory of 3904	4784	certproc32.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\certproc32.exe
    "C:\Windows\certproc32.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A14124~1.EXE>> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\certproc32.exe

Filesize
236KB

MD5
a14124a3f85e4b827de7fc26f3f8a486

SHA1
297681b8de6ba22ddadae836772f41126565dc77

SHA256
1f3f62f463864cf4ed2d35f3d2b2d3ed1cf6a38c206bf19b5f3227496a4eb19f

SHA512
c4eff1395ff4321a09791f8581f0e86f2d72ce968a3da779ab9ce94f70b2e0ab830d340a10993fa0d3e241326269f021f78223e8ce4e5cd81d88b735b7ebdebd

Download Submit
C:\Windows\mapisrv32.dll

Filesize
226KB

MD5
e9326b68533f7ca45c0c7a98ffeacc48

SHA1
2beaf06644e7d7c0834d217cedf681fe85f8dc6b

SHA256
22d9ae4a5f5730616c18e1f2088784ebe5e26e83d9ebf555a114c225380d4671

SHA512
d0f42c8e08c26d7d5c8fed534d9102c876f0364e63c5ad3c61efff8ac36e07d175d19d8aa80c12c00fcbff3969170f2e34717ab58546800c2669de1d91147433

Download Submit
memory/2924-4-0x0000000000446000-0x0000000000447000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x0000000000446000-0x0000000000447000-memory.dmp

Filesize
4KB

Download
memory/2924-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2924-7-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2924-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2924-3-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4784-19-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4784-18-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4784-22-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4784-25-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4784-20-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4784-28-0x0000000013100000-0x0000000013147000-memory.dmp

Filesize
284KB

Download
memory/4784-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4784-34-0x0000000013100000-0x0000000013147000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads