958bcbcea8d6da363fa6af2c1483087c3a16e95369b7107f073de0ccc981009d

General

Target

c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe
Size

85KB
MD5

c1455f76ba619bc0dcdb9bf0fcb62640
SHA1

dace71d0072c62982602f988763713451be15530
SHA256

958bcbcea8d6da363fa6af2c1483087c3a16e95369b7107f073de0ccc981009d
SHA512

7d8c0a9124386323cc41585c1dab75951ea844be97aa8d4934569c6c59ea927e2d07ed23eebb71c66b7b86a4f7f948b144b43d35480cddd9c7a28dfc3eb49067
SSDEEP

1536:RUeHiWRgkkjH8nyWmJjukOfgKTynmtWUzH7DnA3VqiY1h+rY0u0vwxUM8Y:Rd/vyWmJjuv9mmtWkDnYVah+r3u0YxEY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2704	keygen.exe
4988	smss.exe
3280	spoolsv.exe

Loads dropped DLL 3 IoCs

pid	Process
3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe
4988	smss.exe
3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002343e-43.dat	upx
behavioral2/memory/3280-45-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/3280-47-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\efcBurQK.dll	smss.exe
File created	C:\Windows\SysWOW64\efcBurQK.dll	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4988	smss.exe
4988	smss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	smss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4988	smss.exe
3280	spoolsv.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 2704	3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe	84
PID 3784 wrote to memory of 2704	3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe	84
PID 3784 wrote to memory of 2704	3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe	84
PID 3784 wrote to memory of 4988	3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe	85
PID 3784 wrote to memory of 4988	3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe	85
PID 3784 wrote to memory of 4988	3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe	85
PID 4988 wrote to memory of 616	4988	smss.exe	5
PID 4988 wrote to memory of 4976	4988	smss.exe	98
PID 4988 wrote to memory of 4976	4988	smss.exe	98
PID 4988 wrote to memory of 4976	4988	smss.exe	98
PID 4988 wrote to memory of 440	4988	smss.exe	99
PID 4988 wrote to memory of 440	4988	smss.exe	99
PID 4988 wrote to memory of 440	4988	smss.exe	99
PID 3784 wrote to memory of 3280	3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe	101
PID 3784 wrote to memory of 3280	3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe	101
PID 3784 wrote to memory of 3280	3784	c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe	101

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1455f76ba619bc0dcdb9bf0fcb62640_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\UYRD4E\keygen.exe
  C:\Users\Admin\AppData\Local\Temp\UYRD4E\keygen.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\UYRD4E\smss.exe
  "C:\Users\Admin\AppData\Local\Temp\UYRD4E\smss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe ,a
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\UYRD4E\smss.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:440
- C:\Users\Admin\AppData\Local\Temp\UYRD4E\spoolsv.exe
  "C:\Users\Admin\AppData\Local\Temp\UYRD4E\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UYRD4E\keygen.exe

Filesize
8KB

MD5
764816b0853f4bc76d92878e04490632

SHA1
bfc2997c3a61a8abb53091669ff853d511dcea0f

SHA256
d6d2c70ceac9723149acae43eb288e25080a46d9f5880cde35f94b8d55d27723

SHA512
b5cff3105b4602129445e5100d71cb04ee04bcca916966cbcc06ed059a8da20db31c4671ef93af7a526de50a0da8edb1fdae3441f148cbc9f78c449b812c0c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYRD4E\smss.exe

Filesize
31KB

MD5
3c552c8ce83792c261511288cbe45990

SHA1
06d6dc3eb66cfc85f053a7e91472067b4e1ebc29

SHA256
b0c3bc431a6f3b363ae17d1569901cd4c0e28c940835d520762e2cce76b1f702

SHA512
d230e9c8aadc1587970c75a2925236b9b153bfc49e16eca4b047447093430fbf48a76dae801c1c7866b9e8d46ed5f8c95ec74a6883cc6bc078d8f338d57613f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYRD4E\spoolsv.exe

Filesize
8KB

MD5
ef544c040911aa32513157cd5e929d79

SHA1
81781fd4af15d9a258d17aa66dc5735be14319ca

SHA256
406ce4c03c0261f8ab969c955b7721759bab4e9f44a573b0ded1ce87c6a5a1b3

SHA512
5b3423f3a60bda76de41ea34790030134e4a6dbda700d09dc63ecee9d113fe52920cacf71093eda5876cef774769681054d3581707c2220ad8ec7fa528622661

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5EEB.tmp\DcryptDll.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\removalfile.bat

Filesize
43B

MD5
9a7ef09167a6f4433681b94351509043

SHA1
259b1375ed8e84943ca1d42646bb416325c89e12

SHA256
d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7

SHA512
96b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df

Download Submit
C:\Windows\SysWOW64\efcBurQK.dll

Filesize
25KB

MD5
de695d3e7c0375f0f983357d9305f8f3

SHA1
b6f9d69188cd9589e076414b3909349d6097df59

SHA256
e99657276cf3d0eae8c4485b867641aac7315e8f36514abd22e3f46e8bb43d6f

SHA512
7aa4f7797bb6e20fc78d39fcd2d80aff6a70ef736dd44366129a6d990515337e36f2e1680b72eb6703c01c94494ba425118847bbf6970c3cb5d8c21702d1a709

Download Submit
memory/3280-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3280-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4988-25-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4988-24-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4988-26-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/4988-27-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/4988-28-0x0000000010010000-0x0000000010011000-memory.dmp

Filesize
4KB

Download
memory/4988-23-0x0000000010010000-0x0000000010011000-memory.dmp

Filesize
4KB

Download
memory/4988-22-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/4988-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4988-15-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing