aa7f763e307de6f790ae5d80916e8eb846335ae34e49edcd16ae2391237eb393

General

Target

d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe
Size

40KB
MD5

d3c480bf14d7c5c6af228f8322407a57
SHA1

1d5d5897bf6e839dd0e153f4ac62e6c3e5db2c64
SHA256

aa7f763e307de6f790ae5d80916e8eb846335ae34e49edcd16ae2391237eb393
SHA512

79d50068d64bbe61e0c8796f28d1a570341810a3a0c79a2d5bc511cef9b629c1e5c9840a2b3c9d85a04322f57a8fa405328976460e40523d74d2114c868c6008
SSDEEP

768:FV42RV/UvuOsEOLuaoQUBaGrwAsVSBjDvm5kh4bBY3+IQZY:FvpqufEfTQGrwSB/vMY3+D+

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\Atieccx.sys	cmvdd

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00090000000233dc-17.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
3684	svchost.exe
4768	syss
8	cmvdd

Loads dropped DLL 1 IoCs

pid	Process
4512	svchost.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ddttxshat.dll	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3428 set thread context of 4512	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	101

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\svchost.exe	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\explorer.exe	svchost.exe
File created	C:\Windows\Fonts\syss	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe
File created	C:\Windows\Fonts\cmvdd	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syss
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmvdd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://luck114.com"	syss

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe
3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe
3684	svchost.exe
3684	svchost.exe
4768	syss
4768	syss

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 3684	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	89
PID 3428 wrote to memory of 3684	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	89
PID 3428 wrote to memory of 3684	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	89
PID 3428 wrote to memory of 4768	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	97
PID 3428 wrote to memory of 4768	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	97
PID 3428 wrote to memory of 4768	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	97
PID 4768 wrote to memory of 3164	4768	syss	98
PID 4768 wrote to memory of 3164	4768	syss	98
PID 4768 wrote to memory of 3164	4768	syss	98
PID 3428 wrote to memory of 8	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	100
PID 3428 wrote to memory of 8	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	100
PID 3428 wrote to memory of 8	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	100
PID 3428 wrote to memory of 4512	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	101
PID 3428 wrote to memory of 4512	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	101
PID 3428 wrote to memory of 4512	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	101
PID 3428 wrote to memory of 4512	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	101
PID 3428 wrote to memory of 468	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	102
PID 3428 wrote to memory of 468	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	102
PID 3428 wrote to memory of 468	3428	d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe	102

C:\Users\Admin\AppData\Local\Temp\d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3c480bf14d7c5c6af228f8322407a57_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\Fonts\svchost.exe
  C:\Windows\Fonts\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3684
- C:\Windows\Fonts\syss
  C:\Windows\Fonts\syss
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\Windows\Fonts\syss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3164
- C:\Windows\Fonts\cmvdd
  C:\Windows\Fonts\cmvdd
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\DEL.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\cmvdd

Filesize
12KB

MD5
b7dbacfc43e9084f0cebbcfecd321d42

SHA1
ddd1db6942bc4d53ad6e7a58cece8451687ab8c3

SHA256
8c8f50aa9c2f63b8ff6c68aa42824ad95134638dcdcb63535a0d573542054d07

SHA512
a5297cd0005eb0941558f16e89bf2285e641770c094a260f095135f32678830e431c34ee34c0d753bd7718de99a5e97b70bb21c37f64f7726e07c8a0ec892cbf

Download Submit
C:\Windows\Fonts\svchost.exe

Filesize
5KB

MD5
d1b686e09e16b32bab28d4ceb39d32b3

SHA1
c2502d41d4f947dadbd1bd3baa72b045149f786e

SHA256
e90075b284c4531ec7c7797be34a9724b9595dce80e6815bc24ea74ef2705d52

SHA512
ccac608609809c6988483bf374123f4218059577eefdcfbcc0b8e92c41b0b102abb460972b2f93d410ae309ff8e89e6044733d0b186d07f60f7ef5f32a4bcca4

Download Submit
C:\Windows\Fonts\syss

Filesize
1KB

MD5
f4ed1044cc0d6cc42e440711fb793351

SHA1
32c7448eb4c5696b3c15322ddd9106e42eb22c10

SHA256
5889649d626751af6b05482ecc398a02d453467f10fdfff2b94e50c85866488d

SHA512
47d8a728bb18c1b8acdf1dcc9e66e9093bf332368ea202c21a00d9bb17983f83dbefab9ee1e0baee7f4be236de445f0ff83c9b4a69ca6055d1916df4c75b5e78

Download Submit
C:\Windows\SysWOW64\ddttxshat.dll

Filesize
12KB

MD5
3e49419233bcad237527523d5493f165

SHA1
f560cdf62e66a68ef0bad2eed36b61adba97c157

SHA256
7b3e1142127996c8972846f0cf60360396f86f9f61474415ae9ef2b8e59f81be

SHA512
db9211b142e348a932a893f65489de8f4aeee2db6a0c0b9ee28eabfe8a0c4eda35abf7c49d5ad72fdc0957557ff1539bd72d9c4fc6b93ef94e1408cd16b00f5c

Download Submit
\??\c:\DEL.bat

Filesize
210B

MD5
9e893099b5578006c34d905dcf9fec9b

SHA1
0814dd61b5e94b0bbbc7aaa0a806be36c5240e68

SHA256
1e06cb3fb4a393d6d7ab62ab780748e0c552c3b55156022e4cdc2716b587fb54

SHA512
fe10073f151cdd7ad4f6e61101938fe1c40536351ef12fdd1699137015abfca01481eac0ef72fcb96aaa24a9ab66c6331fd356230515a3f17a401af910572119

Download Submit
memory/4512-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4512-20-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/4512-22-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/4512-23-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/4512-25-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/4512-27-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/4512-29-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/4512-31-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing