1969f0a523637fbeba837e4c831172815325f7eb1b7998b4bc20a63ce625166d

General

Target

c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe
Size

5.4MB
MD5

c08c4e432b1e91dd7d2eabd375d52249
SHA1

8b3590da0ec16f4c21de4e36c847ade1aa9461f3
SHA256

1969f0a523637fbeba837e4c831172815325f7eb1b7998b4bc20a63ce625166d
SHA512

b3eab01de414ce3e522f4bc255cf7b29aa1a992353fbae97c331419c4968d0b1fe414d9b4fecf482d91c687cdcb99ad63bb086b0770f3b5e69aedbc82e638da9
SSDEEP

24576:LXkpCNzgduJNQmn2ugeZAQbFT4B96NlpRruKc4wqXjFM5Uc1p8k2:LXJqcQRUAQkmuzjTI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2508	netview.exe
2936	360Safe.exe

Loads dropped DLL 4 IoCs

pid	Process
3056	c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe
2508	netview.exe
2508	netview.exe
2508	netview.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016ed2-7.dat	upx
behavioral1/memory/2508-9-0x0000000010000000-0x000000001000A000-memory.dmp	upx
behavioral1/files/0x0009000000012281-16.dat	upx
behavioral1/memory/2508-15-0x0000000003310000-0x000000000346F000-memory.dmp	upx
behavioral1/memory/2936-17-0x0000000000400000-0x000000000055E400-memory.dmp	upx
behavioral1/memory/2508-14-0x0000000010000000-0x000000001000A000-memory.dmp	upx
behavioral1/memory/2936-20-0x0000000000400000-0x000000000055E400-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShellRun = "C:\\Users\\Admin\\Documents\\netview.exe"	netview.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360Safe.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2508	netview.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	netview.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3056	c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe
3056	c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2508	3056	c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe	31
PID 3056 wrote to memory of 2508	3056	c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe	31
PID 3056 wrote to memory of 2508	3056	c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe	31
PID 3056 wrote to memory of 2508	3056	c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe	31
PID 2508 wrote to memory of 2936	2508	netview.exe	32
PID 2508 wrote to memory of 2936	2508	netview.exe	32
PID 2508 wrote to memory of 2936	2508	netview.exe	32
PID 2508 wrote to memory of 2936	2508	netview.exe	32

C:\Users\Admin\AppData\Local\Temp\c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\Documents\netview.exe
  C:\Users\Admin\Documents\\netview.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\Documents\360Safe.exe
    C:\Users\Admin\Documents\360Safe.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Share Discovery

1

T1135

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\360Safe.exe

Filesize
5.3MB

MD5
4d02e7c44a780042444eb61e2b4ebd17

SHA1
3bcdac35f082f1f37a78db85a73c4b51fc7ae450

SHA256
c9f9483bc864e318767c932393dd7bc42c342d3c76694bd0424f6ff7f0e2904f

SHA512
0a0bec282654d30a5742d60f2de823a1109163cb90ba8c9cf36b7c60bfdea6a0a6d4668372ed7e7e07d8731ae10c32c20d53dc3a81c8101b7a300cdcf9d51dd3

Download Submit
C:\Users\Admin\Documents\360netview.dll

Filesize
4.8MB

MD5
e3ce6845d6b42f44e0e0d11853deb67e

SHA1
7d500b8086ba6acef116d079be28c7dc41551628

SHA256
302f6a2917be8582898b8644e86315cb8e97211b846e589bfa00f3ac11e182dc

SHA512
86cb01c74181f3a37d9231031dda7ed0a7701b43a11e0e107b7aecafe2e1fee26655de089af9b8b554ff82a812063cc94ebd32acb3b1a1fa894c2041d01e0369

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
acf082455a5294a6138f7ed97fdddcc9

SHA1
5a8af8350238af48f54a868d9d397b902218c982

SHA256
1a13f9ce9ed3717fef71392ecc5e4f1de9100985f77dea247548651e543f236e

SHA512
0059ba46eb11981a5cda5b71cfdf7d6bc3e22df1d0aba8d32bc11c118c61302fe3951df6ec700d353a507202b013da368eb88abdf066b2bd39f2be6af98d4106

Download Submit
memory/2508-9-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2508-15-0x0000000003310000-0x000000000346F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-14-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2508-19-0x0000000003310000-0x000000000346F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-17-0x0000000000400000-0x000000000055E400-memory.dmp

Filesize
1.4MB

Download
memory/2936-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2936-20-0x0000000000400000-0x000000000055E400-memory.dmp

Filesize
1.4MB

Download
memory/2936-22-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads