bee01db4d798ebe5cbee780bdf65488c62f3ce6da6306fd940c398c9e729c7d6

General

Target

a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
Size

1.3MB
MD5

a4e622e0c4bd4359b4e15272faa9a21e
SHA1

6cbfc6147860aa68f431c30d31e8d629aa31d254
SHA256

bee01db4d798ebe5cbee780bdf65488c62f3ce6da6306fd940c398c9e729c7d6
SHA512

94fad4348e466ee8f999bd70a8cd48a85d71c8230745efdd8e7d0b38574d2fee9e0747800665dd5720bde5106e3d9f23468974bde7e544e2e5cf1e3a8db24205
SSDEEP

24576:muGShxmS7/63cCEpshK9pDDk+ZGC4BXj89NTiRDyeu1WL/BF74:2Shxt7C3c8qNq149NUKA/E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2076	log.exe
2484	windo.exe
2612	winacces.exe

Loads dropped DLL 12 IoCs

pid	Process
2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
2076	log.exe
2076	log.exe
2076	log.exe
2076	log.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-0-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0006000000019311-7.dat	upx
behavioral1/memory/2320-11-0x0000000003EF0000-0x0000000003F90000-memory.dmp	upx
behavioral1/files/0x0006000000019256-33.dat	upx
behavioral1/memory/2484-36-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2076-71-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2612-69-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2320-74-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2484-76-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2320-68-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2612-77-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DRIVESYS1 = "C:\\Windows\\System32\\bycool1\\windo.exe"	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DRIVESYS = "C:\\Windows\\System32\\bycool\\winacces.exe"	log.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2076-71-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2320-74-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2484-76-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2320-68-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2612-77-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bycool1\windo.exe	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bycool1\windo.exe	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bycool\winacces.exe	log.exe
File opened for modification	C:\Windows\SysWOW64\bycool1\log.exe	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\f	log.exe
File created	C:\Windows\SysWOW64\bycool\winacces.exe	log.exe
File created	C:\Windows\SysWOW64\bycool\myapp.exe	log.exe
File opened for modification	C:\Windows\SysWOW64\bycool1	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bycool\myapp.exe	log.exe
File created	C:\Windows\SysWOW64\bycool\my.dll	log.exe
File opened for modification	C:\Windows\SysWOW64\bycool\my.dll	log.exe
File created	C:\Windows\SysWOW64\bycool1\log.exe	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bycool	log.exe
File created	C:\Windows\SysWOW64\bycool\compilateur_auto.exe	log.exe
File opened for modification	C:\Windows\SysWOW64\bycool\compilateur_auto.exe	log.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	log.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winacces.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
2076	log.exe
2484	windo.exe
2612	winacces.exe
2612	winacces.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2076	2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2076	2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2076	2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2076	2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2484	2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe	30
PID 2320 wrote to memory of 2484	2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe	30
PID 2320 wrote to memory of 2484	2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe	30
PID 2320 wrote to memory of 2484	2320	a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2612	2076	log.exe	31
PID 2076 wrote to memory of 2612	2076	log.exe	31
PID 2076 wrote to memory of 2612	2076	log.exe	31
PID 2076 wrote to memory of 2612	2076	log.exe	31

C:\Users\Admin\AppData\Local\Temp\a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4e622e0c4bd4359b4e15272faa9a21e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\bycool1\log.exe
  "C:\Windows\System32\bycool1\log.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\bycool\winacces.exe
    "C:\Windows\System32\bycool\winacces.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- C:\Windows\SysWOW64\bycool1\windo.exe
  "C:\Windows\System32\bycool1\windo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bycool1\log.exe

Filesize
1.1MB

MD5
7a06dff9189a0cbb23b46afed14cbc74

SHA1
9aee5440c46ef20ef8ad20c7e8a6f54bffb80395

SHA256
0388d16dc56e5dd2091deb93ca876fb8bf06051a81122352910f117e7191ef1e

SHA512
99a6d847568c15fa51500adc99f406454019640e12b71408ef5756c90b16f7f84ae81bf27302862e07c1e783b633dc395355de3849321108efd0bafaf06a8ac7

Download Submit
\Windows\SysWOW64\bycool1\windo.exe

Filesize
1.3MB

MD5
a4e622e0c4bd4359b4e15272faa9a21e

SHA1
6cbfc6147860aa68f431c30d31e8d629aa31d254

SHA256
bee01db4d798ebe5cbee780bdf65488c62f3ce6da6306fd940c398c9e729c7d6

SHA512
94fad4348e466ee8f999bd70a8cd48a85d71c8230745efdd8e7d0b38574d2fee9e0747800665dd5720bde5106e3d9f23468974bde7e544e2e5cf1e3a8db24205

Download Submit
memory/2076-71-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2076-66-0x0000000004510000-0x00000000045B0000-memory.dmp

Filesize
640KB

Download
memory/2320-20-0x0000000003EF0000-0x0000000003F90000-memory.dmp

Filesize
640KB

Download
memory/2320-0-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2320-11-0x0000000003EF0000-0x0000000003F90000-memory.dmp

Filesize
640KB

Download
memory/2320-74-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2320-68-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2484-36-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2484-76-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2612-69-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2612-77-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads