51a139835bd2fa8a8f6e8f1fcd6c331f5128114f7bd2d9c1c24f6f0ecb50286b

General

Target

bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe
Size

12KB
MD5

bac0b9b7b39bcd9524e6d7cd6bb8681a
SHA1

ccfb1039be0296335d6a21f6abfed8ea53a58fae
SHA256

51a139835bd2fa8a8f6e8f1fcd6c331f5128114f7bd2d9c1c24f6f0ecb50286b
SHA512

b5e929ba5e40469094246e7e1bdda5445e86cc4be641a8efbf2ef4bfa2a0baa90b7b8e12338304963c7844e058c4b6b975b3833741ca3b218e6994df9fc6a806
SSDEEP

192:Rpn5Hvx9kUYCh3ZF5Lrrl4aSm0d8etJ4arw7Y0wkm6rcgx6OsmjoNL927aYVFe0k:D5Hvx9kUlh3ZF5Lr2axWiJcgx6OsmjJ4

Score

8^/10

discovery persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1124	fliecodsk.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe
2604	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x00080000000174a8-3.dat	upx
behavioral1/memory/2604-4-0x00000000003C0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2604-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1124-13-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fliecodsk.exe	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fliecodsk.exe	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fliecods.dll	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1124	2604	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe	31
PID 2604 wrote to memory of 1124	2604	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe	31
PID 2604 wrote to memory of 1124	2604	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe	31
PID 2604 wrote to memory of 1124	2604	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe	31
PID 2604 wrote to memory of 2656	2604	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe	32
PID 2604 wrote to memory of 2656	2604	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe	32
PID 2604 wrote to memory of 2656	2604	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe	32
PID 2604 wrote to memory of 2656	2604	bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\fliecodsk.exe
  C:\Windows\system32\fliecodsk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Privilege Escalation

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bac0b9b7b39bcd9524e6d7cd6bb8681a_JaffaCakes118.exe.bat

Filesize
210B

MD5
41195385482c175fbb7eb1b142634c3c

SHA1
8dd6d3d146d4081ff37a3c960c9b779856038d98

SHA256
77604b4b26bd3001ff8d42609174b8942a349897e5a99a4fe0a66790bdf50741

SHA512
8182c6633b4e4b20ffab5dc3c557ff5b21287506a41bb4c9e1659d8a197fe3726a6baaaecf051dc353482826690c2fec1dbf53826ec811164a55ce602f975948

Download Submit
\Windows\SysWOW64\fliecodsk.exe

Filesize
12KB

MD5
bac0b9b7b39bcd9524e6d7cd6bb8681a

SHA1
ccfb1039be0296335d6a21f6abfed8ea53a58fae

SHA256
51a139835bd2fa8a8f6e8f1fcd6c331f5128114f7bd2d9c1c24f6f0ecb50286b

SHA512
b5e929ba5e40469094246e7e1bdda5445e86cc4be641a8efbf2ef4bfa2a0baa90b7b8e12338304963c7844e058c4b6b975b3833741ca3b218e6994df9fc6a806

Download Submit
memory/1124-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2604-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2604-4-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/2604-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing