9664ae5c10632ceb13679a3375ce6c87b2e79615d6e789c8359379d4c3dc2793

General

Target

b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe
Size

30KB
MD5

b6bf86fc7294b99ff0b400fbec236c23
SHA1

899420cee6fb2c07687ff69819257cdfe034cc4a
SHA256

9664ae5c10632ceb13679a3375ce6c87b2e79615d6e789c8359379d4c3dc2793
SHA512

9695d509648a4d18eb4963239de7f420b8c06547f5408c13dd178831db13c1b89a5c1c94a43798dcd796c1c573606b1bc03cbac717a0c04c168d292a46268add
SSDEEP

768:e6wQVAOfGpz9lHQ7NUDOXhCtg7MUwNYT0RE3:E7Oex9kwt6PwNYTl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2436	gbvgbv03.exe

Loads dropped DLL 2 IoCs

pid	Process
852	b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe
2436	gbvgbv03.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/852-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/852-13-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197"	gbvgbv03.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gbvgbv03.exe	b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gbvgbv03.exe	b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\comres.dll	gbvgbv03.exe
File opened for modification	C:\Windows\SysWOW64\comres.dll.ocx	gbvgbv03.exe
File created	C:\Windows\SysWOW64\comres.dll.ocx	gbvgbv03.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gbvgbv03.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
852	b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1256	852	b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe	21
PID 852 wrote to memory of 2436	852	b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe	31
PID 852 wrote to memory of 2436	852	b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe	31
PID 852 wrote to memory of 2436	852	b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe	31
PID 852 wrote to memory of 2436	852	b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\gbvgbv03.exe
    C:\Windows\system32\gbvgbv03.exe C:\Windows\system32\dbr03009.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\b6bf86fc7294b99ff0b400fbec236c23_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dbr03009.ocx

Filesize
54KB

MD5
17d57bc55b33a17feacd4c5f45d33e6a

SHA1
0b7d4b973b19190ef1fa96a52c4075a36c76c624

SHA256
e7049d0ad1440ed882e2f35277ac7006c98777e73307013423d8b31451b87e18

SHA512
8d66f6d1d69151efe7976018c28e952e50232ce0d29c4ff0ba9540041b68286b5cc0912dc7560f477722db2497260494a7858fef11889d76757c004092910f68

Download Submit
\Windows\SysWOW64\gbvgbv03.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/852-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/852-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1256-8-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2436-17-0x0000000010000000-0x0000000010210000-memory.dmp

Filesize
2.1MB

Download
memory/2436-21-0x0000000010000000-0x0000000010210000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads