95bf44ad7c1e827f859b2e69838fd936e703546f2b54f60c8acbb1516d93ec1d

General

Target

c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
Size

153KB
MD5

c7863ca4746b2fae4495bfa6f3162077
SHA1

1c81b9679f8c1cf5999e7a94aedd47bf1cb2b3b0
SHA256

95bf44ad7c1e827f859b2e69838fd936e703546f2b54f60c8acbb1516d93ec1d
SHA512

f4c31c5e01daee0ff6de447949bac02da7809d2779b31d69f11ffa6d87c017a915a6dd878d8921a7cf20afd7d9863323451b9f9212140bfb90c5bfbd44019eef
SSDEEP

3072:s94QzUtkEThySk9oOpz+8GHxmFLtcTjc0MiY1p:s94/h1u2UEjBFY1p

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2624	Exporer32.exe
2784	R00nH4x0l2.exe

Loads dropped DLL 4 IoCs

pid	Process
2812	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
2812	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
2624	Exporer32.exe
2624	Exporer32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-24-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/files/0x0008000000016cb7-20.dat	upx
behavioral1/memory/2624-31-0x0000000000250000-0x0000000000286000-memory.dmp	upx
behavioral1/memory/2624-44-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2784-45-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Load = "C:\\Windows\\system32\\R00nH4x0l2.exe"	Exporer32.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\R00nH4x0l2.exe	Exporer32.exe
File opened for modification	C:\Windows\SysWOW64\Y_MELT.txt	Exporer32.exe
File opened for modification	C:\Windows\SysWOW64\R00nH4x0l2.exe	R00nH4x0l2.exe
File opened for modification	C:\Windows\SysWOW64\Y_MELT.txt	R00nH4x0l2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCGWIN32.LI4	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exporer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R00nH4x0l2.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}\ = "1975227362"	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{E844B0BE-681C4B67-0B649277-F0E02467}\ = 7c5233399e9c4303b66e958db8d09bc046b04adaa946b30599a4bb4599c7870585e4bb04a107934a81697b08661385be889da9fc88deb3bc9e9e830295f75525d67b5259770dea2cc8d3eef9ad67b0da293ff0a213df067d35602462c9e1f79c2543541679c55b6bc6b6b564589b018120c7c3e58e944dc90c9031f5e057bf0a62eff66d54d378f9a3249927bf4a9d2f7f7222290fa8d22fc6726aaf3732ea276e6aec17307ad3def98267380aa7a9d52b7bb61ed4c33aaea7ad952c0b132e464d352c6473171e8a7d2fdc92c209307415e634fa17deca7cb6235ae6f95a63819e1b023e575d8a00f0a5e24be0f6be1bdcfe7c1d60c047f81a620107cc8ab337a66a2589c8ec6ed2cdc82c528df1ece76ed57347690ad097814540f41b15c6b4aba74efa0da130c4e546945b4979d3240925ccd810803bb45e663d1560c413747eab1d56808b0aae49d388c936ab55c9f897a30566f41b14c63bb526a83509e408cab72f6a72a958943dc95c8cc3eff14def0c6dd1f08f1d8dc02f25f2d810c00f32726161583c012364c6caa5f088e673941ebafd1e6303f67e2523f466e83b74a6252ae4a95837bd6a5f8f42cdc0ef4cb26edfb382e927efeaed37afdacd3f53e271cea82cd613043e97238506fb2599e8ffe85d563cf5e3db9e0183f8cf06c8b26d17de30a320b5f58317d4d9b92f9cb99b5b7bcf5d13ef18982a9f31673675f653d4b952800c66defe7cc3f230d3	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{E844B0BE-681C4B67-0B649277-F0E02467}	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{E844B0BE-681C4B67-0B649277-F0E02467}\ = 7c5233399e9c4303b66e958db8d09bc046b04adaa946b30599a4bb4599c7870585e4bb04a107934a81697b08661385be889da9fc88deb3bc737263f192f7552534e8e92c770dea2cc8d3eef9ad67b0da293ff0a213df067d35602462c9e1f79c2543541679c55b6bc6b6b564589b018120c7c3e58e944dc90c9031f5e057bf0a62eff66d54d378f9a3249927bf4a9d2f7f7222290fa8d22fc6726aaf3732ea276e6aec17307ad3def98267380aa7a9d52b7bb61ed4c33aaea7ad952c0b132e464d352c6473171e8a7d2fdc92c209307415e634fa17deca7cb6235ae6f95a63819e1b023e575d8a00f0a5e24be0f6be1bdcfe7c1d60c047f81a620107cc8ab337a66a2589c8ec6ed2cdc82c528df1ece76ed57347690ad097814540f41b15c6b4aba74efa0da130c4e546945b4979d3240925ccd810803bb45e663d1560c413747eab1d56808b0aae49d388c936ab55c9f897a30566f41b14c63bb526a83509e408cab72f6a72a958943dc95c8cc3eff14def0c6dd1f08f1d8dc02f25f2d810c00f32726161583c012364c6caa5f088e673941ebafd1e6303f67e2523f466e83b74a6252ae4a95837bd6a5f8f42cdc0ef4cb26edfb382e927efeaed37afdacd3f53e271cea82cd613043e97238506fb2599e8ffe85d563cf5e3db9e012316c106c8b26d17de30a320b5f58317d4d9b92f9cb99b5b7bcf5d13ef18982a9f31673675f653d4b952800c66defe7c032b3f9b	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{E844B0BE-681C4B67-0B649277-F0E02467}\ = 7c5233399e9c4303b66e958db8d09bc046b04adaa946b30599a4bb4599c7870585e4bb04a107934a81697b08661385be889da9fc88deb3bc9e9e830295f7552534e8e92c770dea2cc8d3eef9ad67b0da293ff0a213df067d35602462c9e1f79c2543541679c55b6bc6b6b564589b018120c7c3e58e944dc90c9031f5e057bf0a62eff66d54d378f9a3249927bf4a9d2f7f7222290fa8d22fc6726aaf3732ea276e6aec17307ad3def98267380aa7a9d52b7bb61ed4c33aaea7ad952c0b132e464d352c6473171e8a7d2fdc92c209307415e634fa17deca7cb6235ae6f95a63819e1b023e575d8a00f0a5e24be0f6be1bdcfe7c1d60c047f81a620107cc8ab337a66a2589c8ec6ed2cdc82c528df1ece76ed57347690ad097814540f41b15c6b4aba74efa0da130c4e546945b4979d3240925ccd810803bb45e663d1560c413747eab1d56808b0aae49d388c936ab55c9f897a30566f41b14c63bb526a83509e408cab72f6a72a958943dc95c8cc3eff14def0c6dd1f08f1d8dc02f25f2d810c00f32726161583c012364c6caa5f088e673941ebafd1e6303f67e2523f466e83b74a6252ae4a95837bd6a5f8f42cdc0ef4cb26edfb382e927efeaed37afdacd3f53e271cea82cd613043e97238506fb2599e8ffe85d563cf5e3db9e012316c106c8b26d17de30a320b5f58317d4d9b92f9cb99b5b7bcf5d13ef18982a9f31673675f653d4b952800c66defe7c60026cda	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2812	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
2624	Exporer32.exe
2784	R00nH4x0l2.exe
2784	R00nH4x0l2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2624	2812	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2624	2812	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2624	2812	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2624	2812	c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2784	2624	Exporer32.exe	31
PID 2624 wrote to memory of 2784	2624	Exporer32.exe	31
PID 2624 wrote to memory of 2784	2624	Exporer32.exe	31
PID 2624 wrote to memory of 2784	2624	Exporer32.exe	31

C:\Users\Admin\AppData\Local\Temp\c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7863ca4746b2fae4495bfa6f3162077_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
  "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\R00nH4x0l2.exe
    C:\Windows\system32\R00nH4x0l2.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
53KB

MD5
b2abb644b7e841417e95edee2d4e8614

SHA1
31f3ad9493a6061fff6da386650b29f14e2d871d

SHA256
adac5b908bf637dc6f1b1e8619b293038b9605a78c8f9965d1ad3b3b5b9ed4c6

SHA512
61acb27e263d1ade0d59f3f2ba9fd8d950164b2fcb1b638f6aca5d3df8b1850b56d187f3bf61226cf0008a7d81815bf7b67f99fce2e440a802cb3e5efd6a31cb

Download Submit
C:\Windows\PCGWIN32.LI4

Filesize
528B

MD5
1ff59a816bebfac8bd6527667756361d

SHA1
ab885e1de734c070ffa47d80e8c384d1b634f409

SHA256
9617c74a912118c9b193d25b226db937f00dca350a6a321d8baa6a06430e15f8

SHA512
95ee0029c9352dbf2f56432a1d65377429e847ed5b52468c075068181a0e8610d06dad1c75c497e4d71127ae5366aee519264ed239b178876184ac0d112dd440

Download Submit
C:\Windows\SysWOW64\Y_MELT.txt

Filesize
47B

MD5
6edff0bbb52d90af63df7ef2599df1bd

SHA1
69af0ad4ec7130e8a5a3d55f080ae0656526cf7b

SHA256
392294511359b0098fdd4a0796a4260e13c6e923fe9017e226aab3ecc2e3898b

SHA512
ac48f4da4558d721f0cda431cb1b017db3dfb4a131ef0c723fc316145f0e1474f84a0cb898416d172bc22c700d54312268d1ba9376188d059420b70057e1cf6a

Download Submit
memory/2624-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-31-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2624-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2812-9-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2812-23-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2812-22-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads