98a725eba454c0f33a96ccf58cad810f3265c9d6ad5d1f5030e321ac02290825

General

Target

bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe
Size

166KB
MD5

bc3b65bef50d18acdab75426e0656db3
SHA1

6fca8ec1403555ed5045ac0f0564663cbc4a6df0
SHA256

98a725eba454c0f33a96ccf58cad810f3265c9d6ad5d1f5030e321ac02290825
SHA512

3a939ff8517fc64012660a0d37d75e6ba02c23d53431e7e3cc4ba0fac676b916c8664cb2f15be20fff8123c4a30535fea6704c64b4c9400572c54a0ec5f2f537
SSDEEP

3072:Asdam22aM+rzW+sVhKBq1mckVTwk1UFlc/Mu+AyUXP/ArLzt:AstmkhKQ1jELWlcuAyUX3czt

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\E53B0\\F88D4.exe"	bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4828-3-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/212-19-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/212-20-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4828-21-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4828-22-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/2296-132-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4828-133-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4828-303-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 212	4828	bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe	92
PID 4828 wrote to memory of 212	4828	bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe	92
PID 4828 wrote to memory of 212	4828	bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe	92
PID 4828 wrote to memory of 2296	4828	bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe	96
PID 4828 wrote to memory of 2296	4828	bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe	96
PID 4828 wrote to memory of 2296	4828	bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe startC:\Program Files (x86)\LP\D4AE\9CB.exe%C:\Program Files (x86)\LP\D4AE
  2⤵
  PID:212
- C:\Users\Admin\AppData\Local\Temp\bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\bc3b65bef50d18acdab75426e0656db3_JaffaCakes118.exe startC:\Program Files (x86)\B0089\lvvm.exe%C:\Program Files (x86)\B0089
  2⤵
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E53B0\0089.53B

Filesize
597B

MD5
0f26bc4e7df2b67c5f6092cfe7e5bda6

SHA1
d9821bf8dfd0b874a272f3d3e05659aac59167f7

SHA256
7c4df6324b1d46b2bc351cda892bd989b6b1ca926d10b9c24cc8f8dadf52ebe5

SHA512
b5a8ddc45648e500d95a0099b6e65746d9fe07897e732aedb632fc1c8d57646fd15598508cde90dd9d28838ff4e6e16cb516ed2152f6015af92bef3f6eb04a12

Download Submit
C:\Users\Admin\AppData\Roaming\E53B0\0089.53B

Filesize
1KB

MD5
759b7797cb59a49e4f71b9e246d50dc1

SHA1
84497455c1b4738c382fc553c7a4f3d6d84ecd5e

SHA256
729ba20ed01eec52c424568b865f868602b2a9164b9b1ee7232ecb2da76bcad8

SHA512
4707fff306d68acb6328f1aef2dda81874ac2239cf3278587e15c11229a5663f0e33fc339ce6f136672fc0be4026bd5fe10a58e066aff89a1ffd616c1678ab2e

Download Submit
C:\Users\Admin\AppData\Roaming\E53B0\0089.53B

Filesize
1KB

MD5
d153f21d90e946d60145faa01d45e209

SHA1
f942c162378a3a56314962b22b1a4c7ac88e2daa

SHA256
4af9546468ff30d9e4ce2b5031ba3646776559424a4970bd069f2f1f0e83582b

SHA512
5a524534599f3d7173de354f24c1bf3f49746343e55b00becd08c5dbcdddc4c1b896dcf087666ea966993669c8c1b99ace38863dd4a646671c74b605121e93ac

Download Submit
C:\Users\Admin\AppData\Roaming\E53B0\0089.53B

Filesize
897B

MD5
57d302b1807cb388ac908460bbab7606

SHA1
982f48053a2f616cc1a30e955ff01d27e3216b64

SHA256
03f2b49eaf2064363720a4d826c15fe9ee7a5dc41ec86a3d2ad5e0bb19fa224c

SHA512
2c241338500219310518a9b9d99848dc4f0ad4f59583532b1092920367a5bdcfa2a748eeb587310d9e9bda01521d396b7a2343cee9e933ad76fa67898a114937

Download Submit
memory/212-19-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/212-20-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2296-132-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4828-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4828-21-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4828-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4828-133-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4828-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4828-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4828-303-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads