19a58f9870ff5f4d4d4cc40efeeedfd1b0ad50cd9c0d539bb388d9aaa3a8bc66

General

Target

a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe
Size

178KB
MD5

a5cef3835185aeb9ab243eff8c628b08
SHA1

a8ab20f7e6a8db5f42406b2d72c2da313bc85db3
SHA256

19a58f9870ff5f4d4d4cc40efeeedfd1b0ad50cd9c0d539bb388d9aaa3a8bc66
SHA512

bb80dd94b0394c04aadbe43df5058534a232e101f9f5662259f9fd0620dbe8d827b397e1a957d00b6212ad6ce5db422d7f6b8eda851fe64a0479c59dfc70d22f
SSDEEP

3072:E1BVEYwLa60O/9hwpPPgx3sAOgjKIGauTh8ePrImZVi5+YGq7UUR:GB3lOlhw1g9sAOI9GNZtViSqzR

Score

7^/10

discovery persistence upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4516-1-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1132-12-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1132-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4516-49-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4516-106-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4924-108-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4516-188-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 1132	4516	a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe	86
PID 4516 wrote to memory of 1132	4516	a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe	86
PID 4516 wrote to memory of 1132	4516	a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe	86
PID 4516 wrote to memory of 4924	4516	a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe	96
PID 4516 wrote to memory of 4924	4516	a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe	96
PID 4516 wrote to memory of 4924	4516	a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a5cef3835185aeb9ab243eff8c628b08_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3C2C.9F5

Filesize
996B

MD5
dd42df90889bb8c1d9fc0374e74af3e1

SHA1
986975a3dd425aa7977da9e1ec287939a35e5905

SHA256
be7369abf36e61c56b3833571b763022f50e75b873162f2bfe8d130e88f49329

SHA512
c9dfacf76e1845e2bc8faf1fcac6d84cbbb48a261829d62a6b54804156a80ae775bb227e17ac511c47ccce957405ae8b5a415b2f3f62d37e01cf07fe8e9b50b0

Download Submit
C:\Users\Admin\AppData\Roaming\3C2C.9F5

Filesize
600B

MD5
04369a992fdb25eabac4fe6ba1d54f48

SHA1
803019a3a6136fe73dfb938ede5a300acbfef4e5

SHA256
930f083966afc7de4e46abf1f2a5b53c3a32700eaf7100ee179e53ec48d99bfb

SHA512
eabf1c50cbb5ee51378297704377ec78593a6790588b71824649e691d8aaec98d9688593c64fbc4a5db2dc606ce0d49bc6a02685ae635eaa09695016c39beff9

Download Submit
C:\Users\Admin\AppData\Roaming\3C2C.9F5

Filesize
1KB

MD5
6ee03f8766bdd0f64918a59320b314c2

SHA1
3759a75fc3f6eef2a9e61c03d8853025e334ba89

SHA256
92aa440a76279e6c4876608a7d39cc7ec6a58a88ceee3a437f3d332d87079550

SHA512
376bb053eeab0916f817550100f86cbb41a516819e3c982ffed11854bca75b79f3f25554e8e69a3934361e281eb3b1a2251e62aa71da11adf9ffcb397ce3c897

Download Submit
memory/1132-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1132-11-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1132-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4516-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4516-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4516-106-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4516-188-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4924-108-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads