226bca17ebf5c27416b1e575b4fc9861d0b69acc3e620b26959c62a6153df98b

General

Target

c757507852cb5e4e7b3d8ac1f80cee20_JaffaCakes118.exe
Size

255KB
MD5

c757507852cb5e4e7b3d8ac1f80cee20
SHA1

dbb860619c7ee2f0fbe124e9d7730a468e6cf9c3
SHA256

226bca17ebf5c27416b1e575b4fc9861d0b69acc3e620b26959c62a6153df98b
SHA512

52c9ca71f1a2d4416639324dd319a147395e81421a09942ea61c26884d496d9dcfd6b98fe3bea68f68d75806701d05dfed388f0dfebe7cfc7e9227e9d8b24e2b
SSDEEP

6144:+p0yN90PERzVFDbXabgRjkjpS40X5Y7NCxEEjr:/y90eDbXabgRjkjcLoN5i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2244	Crypt3d1.exe
1136	Crypt3d1.exe
3964	Crypt3d1.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234bf-7.dat	upx
behavioral2/memory/2244-8-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1136-12-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2244-15-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1136-17-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1136-19-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1136-30-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c757507852cb5e4e7b3d8ac1f80cee20_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 1136	2244	Crypt3d1.exe	87
PID 1136 set thread context of 3964	1136	Crypt3d1.exe	88

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypt3d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c757507852cb5e4e7b3d8ac1f80cee20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypt3d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypt3d1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3964	Crypt3d1.exe
3964	Crypt3d1.exe
3964	Crypt3d1.exe
3964	Crypt3d1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2244	Crypt3d1.exe
1136	Crypt3d1.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2244	3744	c757507852cb5e4e7b3d8ac1f80cee20_JaffaCakes118.exe	86
PID 3744 wrote to memory of 2244	3744	c757507852cb5e4e7b3d8ac1f80cee20_JaffaCakes118.exe	86
PID 3744 wrote to memory of 2244	3744	c757507852cb5e4e7b3d8ac1f80cee20_JaffaCakes118.exe	86
PID 2244 wrote to memory of 1136	2244	Crypt3d1.exe	87
PID 2244 wrote to memory of 1136	2244	Crypt3d1.exe	87
PID 2244 wrote to memory of 1136	2244	Crypt3d1.exe	87
PID 2244 wrote to memory of 1136	2244	Crypt3d1.exe	87
PID 2244 wrote to memory of 1136	2244	Crypt3d1.exe	87
PID 2244 wrote to memory of 1136	2244	Crypt3d1.exe	87
PID 2244 wrote to memory of 1136	2244	Crypt3d1.exe	87
PID 2244 wrote to memory of 1136	2244	Crypt3d1.exe	87
PID 1136 wrote to memory of 3964	1136	Crypt3d1.exe	88
PID 1136 wrote to memory of 3964	1136	Crypt3d1.exe	88
PID 1136 wrote to memory of 3964	1136	Crypt3d1.exe	88
PID 1136 wrote to memory of 3964	1136	Crypt3d1.exe	88
PID 1136 wrote to memory of 3964	1136	Crypt3d1.exe	88
PID 1136 wrote to memory of 3964	1136	Crypt3d1.exe	88
PID 1136 wrote to memory of 3964	1136	Crypt3d1.exe	88
PID 3964 wrote to memory of 3476	3964	Crypt3d1.exe	56
PID 3964 wrote to memory of 3476	3964	Crypt3d1.exe	56
PID 3964 wrote to memory of 3476	3964	Crypt3d1.exe	56
PID 3964 wrote to memory of 3476	3964	Crypt3d1.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\c757507852cb5e4e7b3d8ac1f80cee20_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c757507852cb5e4e7b3d8ac1f80cee20_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crypt3d1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crypt3d1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crypt3d1.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crypt3d1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crypt3d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crypt3d1.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crypt3d1.exe

Filesize
55KB

MD5
75f9d7f929cb8b493fd0f30ea35379c0

SHA1
d8c8035c9f9730fae157a084efbbc64d4a86c0a2

SHA256
77aed79b49a663b8c103d0b4d902a602251b1cb87559d5ad808e3840ea8e2d83

SHA512
1637f6787d326886ee1bac68c41b34c935292839b6d65facfbf153a078e2940b86da1483ec2e54e8031c9fd8a8e17aea0db28afec3313207c286f07906cd04a0

Download Submit
memory/1136-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1136-30-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1136-19-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1136-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2244-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2244-8-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3476-32-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3476-31-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3744-0-0x0000000001000000-0x000000000107CBCC-memory.dmp

Filesize
498KB

Download
memory/3744-1-0x0000000001000000-0x000000000107CBCC-memory.dmp

Filesize
498KB

Download
memory/3744-20-0x0000000001000000-0x000000000107CBCC-memory.dmp

Filesize
498KB

Download
memory/3744-3-0x0000000001001000-0x000000000100C000-memory.dmp

Filesize
44KB

Download
memory/3744-2-0x0000000001000000-0x000000000107CBCC-memory.dmp

Filesize
498KB

Download
memory/3964-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3964-27-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3964-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3964-35-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads