43119b3a95989cb18dd0f1acc334c886e95b1d469715eb78cf9767abd51ce64b

General

Target

b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe
Size

40KB
MD5

b8fef4fc1c25c304b4a9ca1fe9b04b65
SHA1

8faf42b90a115e56ed2bffbca03fd61530f61d45
SHA256

43119b3a95989cb18dd0f1acc334c886e95b1d469715eb78cf9767abd51ce64b
SHA512

1a0ff183233269a05f0c0c45a69fb93c940e69bc8657c9a081b7f91a562e8364ce011becacf7f1ac9bfeb033cefdad59d38cf3b328df6034710976c9889c175b
SSDEEP

768:fvO9SUNVvzFGd4pkfTas4AeVdpOwYGn+bhFPy7dxVZBZ6LZ2zPgtyO4ZbOPIHi:O91GUkus4PdhYBlFUoLZ2zPg68IHi

Score

7^/10

discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00090000000120fa-5.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	rundll32.exe
2784	rundll32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000120fa-5.dat	upx
behavioral1/memory/1732-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1732-24-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2784-28-0x0000000010000000-0x0000000010016000-memory.dmp	upx

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\7E44.tmp	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfcos.dll	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sfcos.dll	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dbgtemp	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dsoundtemp	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1692	1732	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1692	1732	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1692	1732	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1692	1732	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2752	1732	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2752	1732	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2752	1732	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2752	1732	b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe	31
PID 2752 wrote to memory of 2784	2752	cmd.exe	34
PID 2752 wrote to memory of 2784	2752	cmd.exe	34
PID 2752 wrote to memory of 2784	2752	cmd.exe	34
PID 2752 wrote to memory of 2784	2752	cmd.exe	34
PID 2752 wrote to memory of 2784	2752	cmd.exe	34
PID 2752 wrote to memory of 2784	2752	cmd.exe	34
PID 2752 wrote to memory of 2784	2752	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8fef4fc1c25c304b4a9ca1fe9b04b65_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\sfc.exe
  "C:\Windows\system32\sfc.exe" /REVERT
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\del.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\s2am.ime,Runed
    3⤵
    - Loads dropped DLL
    - Modifies WinLogon
    - System Location Discovery: System Language Discovery
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\7E44.tmp

Filesize
32KB

MD5
5c3217e0e7e10c8a1e11460de91ffcc4

SHA1
f9e6d4e7f2b66b7bc7ae8f13c6e86cf65ac7475c

SHA256
5cdecc7094a8ef8541d318ba4981da5ab65584c92cc38bf25a94262d1eaba60c

SHA512
5a2afa5ad722d6130285f514c7bcdb899fddb26f15dd5a41af3bf9d88c088fa68f4afe0fa61bb2a5d1edb72d949cc94802470a61aa6dbc7e8c6535dc9e03181f

Download Submit
C:\Windows\SysWOW64\dbgtemp

Filesize
9KB

MD5
c3545163199f7d12a1339489fd877dd4

SHA1
63f0ad4847aa669a0719ef5cce7031fbf80f6615

SHA256
ebaa703c2d70f0dfd10a5b4b309d64f75db3381df83981af430c3b29d0801c70

SHA512
bd8de961d40c23510778204e89722b24f99456c14cc67be2b358aa4d53b962f17eec9c731558c568126aa245e0b28f4e5f6475f85101490fe7e2123f212393d4

Download Submit
C:\Windows\SysWOW64\dsoundtemp

Filesize
4KB

MD5
e74734d35e56385de26d7877ef34395a

SHA1
0fbedc3043990ce43c87607ed6c79686cb352acf

SHA256
98b73d00985aee2cf76451c63aff1f6b3765ea2f0942427f0fe9731ca98e7083

SHA512
7115be3f75156899e390aff78e1be7f5c6765cac3510f3397012c7e0a6dd9157d0900da5348b6b8a056e1d37fb831e0e80854d517d1e4a779f3b75a3ae962afb

Download Submit
C:\Windows\SysWOW64\sfcos.dll

Filesize
40KB

MD5
84799328d87b3091a3bdd251e1ad31f9

SHA1
64dbbe8210049f4d762de22525a7fe4313bf99d0

SHA256
f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

SHA512
0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

Download Submit
C:\del.bat

Filesize
195B

MD5
c1e4a251529fd8a6d1f11d49ddf429ad

SHA1
42443b533fb2f8a2f83cc81b41de1adf8eb479a7

SHA256
8eeca732d42c1f09d104f4ddbeddc7a53a6eeff810efa6c11dba4f9b6887d7eb

SHA512
536aa24de801bcd98e5af0d7d3d1fd9b1b96259dbf0ef989a44f47e62c84de2284175f7170be33ccfa73d47afe6b0a88bc12d664bc983069ed2e02cbcf1e6175

Download Submit
memory/1732-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1732-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2784-28-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads