vobfus | b945453f44671ddd85464d4d6831879eb0fab2fc5cc270d48fc7546aa012cd81

General

Target

bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe
Size

269KB
MD5

bf5137a8691cf5d59d4d0359648ef90d
SHA1

7c13db66a92798f1412c8bf599a116e9cf0797c6
SHA256

b945453f44671ddd85464d4d6831879eb0fab2fc5cc270d48fc7546aa012cd81
SHA512

2296c1e53ae29d2ce72d0a971cb6ecd465cc4ac6b15db30e59167f247c951febbf986581604d253991d50ad9f9f262ea963ed95e81bd85e40dfa95c4264ab7d2
SSDEEP

6144:bAiU9siB9LdRGEjXfO5T1ERn+Q6JqZgDiCP9tbsXkJn2IoS:bAHLXG4PO5TaR+QnZgDi7XIoS

Score

10^/10

vobfus discovery persistence upx worm

Malware Config

Signatures

Vobfus
A widespread worm which spreads via network drives and removable media.
worm vobfus

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\1UH5DA76YKB1V = "C:\\Users\\Admin\\AppData\\Roaming\\YBY24D5FA8.exe"	javaapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	javaapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\1UH5DA76YKB1V = "C:\\Users\\Admin\\AppData\\Roaming\\YBY24D5FA8.exe"	javaapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	javaapp.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	javaapp.exe
2944	javaapp.exe

Loads dropped DLL 6 IoCs

pid	Process
2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe
2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe
2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe
2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe
2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe
2812	javaapp.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2944-50-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2944-48-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2944-45-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2944-57-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2944-58-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaupdatre = "C:\\Users\\Admin\\AppData\\Roaming\\javaapp.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1UH5DA76YKB1V = "C:\\Users\\Admin\\AppData\\Roaming\\YBY24D5FA8.exe"	javaapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\1UH5DA76YKB1V = "C:\\Users\\Admin\\AppData\\Roaming\\YBY24D5FA8.exe"	javaapp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 2944	2812	javaapp.exe	35
PID 2812 set thread context of 0	2812	javaapp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaapp.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe
2812	javaapp.exe
2944	javaapp.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2216	2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2216	2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2216	2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2216	2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2804	2216	cmd.exe	33
PID 2216 wrote to memory of 2804	2216	cmd.exe	33
PID 2216 wrote to memory of 2804	2216	cmd.exe	33
PID 2216 wrote to memory of 2804	2216	cmd.exe	33
PID 2400 wrote to memory of 2812	2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2812	2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2812	2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2812	2400	bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe	34
PID 2812 wrote to memory of 2944	2812	javaapp.exe	35
PID 2812 wrote to memory of 2944	2812	javaapp.exe	35
PID 2812 wrote to memory of 2944	2812	javaapp.exe	35
PID 2812 wrote to memory of 2944	2812	javaapp.exe	35
PID 2812 wrote to memory of 2944	2812	javaapp.exe	35
PID 2812 wrote to memory of 2944	2812	javaapp.exe	35
PID 2812 wrote to memory of 2944	2812	javaapp.exe	35
PID 2812 wrote to memory of 2944	2812	javaapp.exe	35
PID 2812 wrote to memory of 2944	2812	javaapp.exe	35
PID 2812 wrote to memory of 0	2812	javaapp.exe
PID 2812 wrote to memory of 0	2812	javaapp.exe
PID 2812 wrote to memory of 0	2812	javaapp.exe
PID 2812 wrote to memory of 0	2812	javaapp.exe

C:\Users\Admin\AppData\Local\Temp\bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGWsF.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaupdatre" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\javaapp.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Users\Admin\AppData\Roaming\javaapp.exe
  "C:\Users\Admin\AppData\Roaming\javaapp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Roaming\javaapp.exe
    C:\Users\Admin\AppData\Roaming\javaapp.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kGWsF.bat

Filesize
138B

MD5
436c51f33bd506ec8ffe22b5f70195eb

SHA1
6e2bbcdc65460c8e581523d3a2392e9e0d3ec975

SHA256
9963fbe891cd9d5ed860cdf65d1b427854465821cba2e498b58fd370c1989688

SHA512
e73efb5922cebf85631b00276a4a5a4d1fae31eae30fe94efce15474b6e9520aab3298739aca4bbf0f3c2391929cf5b6fd8b48624eee3d32f99b5a031bc45f3b

Download Submit
C:\Users\Admin\AppData\Roaming\javaapp.exe

Filesize
269KB

MD5
bf5137a8691cf5d59d4d0359648ef90d

SHA1
7c13db66a92798f1412c8bf599a116e9cf0797c6

SHA256
b945453f44671ddd85464d4d6831879eb0fab2fc5cc270d48fc7546aa012cd81

SHA512
2296c1e53ae29d2ce72d0a971cb6ecd465cc4ac6b15db30e59167f247c951febbf986581604d253991d50ad9f9f262ea963ed95e81bd85e40dfa95c4264ab7d2

Download Submit
memory/2400-39-0x0000000003430000-0x00000000036B7000-memory.dmp

Filesize
2.5MB

Download
memory/2400-38-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2400-35-0x0000000003930000-0x0000000003BB7000-memory.dmp

Filesize
2.5MB

Download
memory/2400-34-0x0000000003430000-0x00000000036B7000-memory.dmp

Filesize
2.5MB

Download
memory/2400-1-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2812-42-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2812-56-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/2944-48-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2944-45-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2944-50-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2944-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2944-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads