56fb5abb9e08f3b8a4c6687d17bdfac8934ad7bbd2c36cd72dee6f2d89b44d4b

General

Target

a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
Size

96KB
MD5

a514876de4bdee2e0d7d64be7728e77d
SHA1

880c2f3594bc599870e3110e0d900a457f0622e0
SHA256

56fb5abb9e08f3b8a4c6687d17bdfac8934ad7bbd2c36cd72dee6f2d89b44d4b
SHA512

5f0f01900bbf36d0c859950329d2a427139d825626da2a1b208a3a4c39f527331fc90fcedeb70d516c9f40a1b79de68c51bd36e3c5eaddb31928885c592a7064
SSDEEP

3072:mmOToguDKGe/Lzhx8O/aV6k8brDVAZRd2ox2e02ve:+TduDMYnWmZRooxb9m

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2640	rs.exe
1624	atas.exe

Loads dropped DLL 5 IoCs

pid	Process
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
2640	rs.exe
2640	rs.exe
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x000700000001211b-4.dat	upx
behavioral1/memory/2640-11-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2640-128-0x0000000003240000-0x0000000003260000-memory.dmp	upx
behavioral1/memory/1624-138-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2188-137-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2640-136-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x001100000001951c-143.dat	upx
behavioral1/memory/2188-219-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1624-391-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2188-430-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2188-755-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Saer = "C:\\Users\\Admin\\AppData\\Roaming\\atas.exe"	rs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Saer = "C:\\Users\\Admin\\AppData\\Roaming\\atas.exe"	atas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\ContentService = "C:\\Windows\\system32\\winservn.exe"	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winservn.exe	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PurityScan\PuritySCAN.exe	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atas.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2640	2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2640	2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2640	2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2640	2188	a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe	30
PID 2640 wrote to memory of 1624	2640	rs.exe	32
PID 2640 wrote to memory of 1624	2640	rs.exe	32
PID 2640 wrote to memory of 1624	2640	rs.exe	32
PID 2640 wrote to memory of 1624	2640	rs.exe	32

C:\Users\Admin\AppData\Local\Temp\a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a514876de4bdee2e0d7d64be7728e77d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\rs.exe
  rs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\atas.exe
    C:\Users\Admin\AppData\Roaming\atas.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6bb84c00fec6f4a8a70db6fbf22ceff

SHA1
c8060b5665c6348a5b4987e62b05c46c435c916b

SHA256
e96efe54152772408bed6bbf71f373c8975559de3ce797a93c4d2ef9d91c6e7c

SHA512
d91ca820f069b7989792dc231658cbb36e9f726c67e7b5042c50d5bab6447efabf2d76ac830c5931dad5013c918cf830abcddeb770ffe5963a7e51fb4b44c4ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
809a306f53be8aa7e2b6a1825ca4f6ee

SHA1
995e31683a2c6ee955a827b247bcb450efb43363

SHA256
f55533778abcffb5296ad968fd300ad9a2e193021a22b0445c5015bf7809d717

SHA512
637e7f2cf1fa8cd66433dfe121a93908d0d7553c75f87047269cb03e906f5e0865144b92c95138b94e557ed68e1fbb782bf60eca49d512110faa8380cf3e508e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE5E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE80.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\PurityScan\PuritySCAN.exe

Filesize
96KB

MD5
a514876de4bdee2e0d7d64be7728e77d

SHA1
880c2f3594bc599870e3110e0d900a457f0622e0

SHA256
56fb5abb9e08f3b8a4c6687d17bdfac8934ad7bbd2c36cd72dee6f2d89b44d4b

SHA512
5f0f01900bbf36d0c859950329d2a427139d825626da2a1b208a3a4c39f527331fc90fcedeb70d516c9f40a1b79de68c51bd36e3c5eaddb31928885c592a7064

Download Submit
\Users\Admin\AppData\Local\Temp\rs.exe

Filesize
66KB

MD5
aab0bf7434c755ad44ee2c043622e071

SHA1
27d1a80af540dbb3030bbea2235932f9ffc144f4

SHA256
e2f78cec1a4acb13212176237edd93ae6dfb1fa31d068a9470dc20fc5e8c5a24

SHA512
b57a3cd036785bb8c3d8e80101eb0953402a177733b30fd3755ee7b9a13ae0c41edaf1df60f2972ae12ecad2e70ed1447e3a2d9a3945a6804465b273d2c58b5f

Download Submit
memory/1624-391-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1624-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-402-0x0000000005E70000-0x0000000005E80000-memory.dmp

Filesize
64KB

Download
memory/2188-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2188-142-0x0000000001D70000-0x0000000001D90000-memory.dmp

Filesize
128KB

Download
memory/2188-9-0x0000000001D70000-0x0000000001D90000-memory.dmp

Filesize
128KB

Download
memory/2188-145-0x0000000005E70000-0x0000000005E80000-memory.dmp

Filesize
64KB

Download
memory/2188-219-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2188-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2188-430-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2188-10-0x0000000001D70000-0x0000000001D90000-memory.dmp

Filesize
128KB

Download
memory/2188-755-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2640-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-128-0x0000000003240000-0x0000000003260000-memory.dmp

Filesize
128KB

Download
memory/2640-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads