46dc099e6e92e1de7e64fff9b66073008148e803ff931218bff0786ee6fae405

General

Target

d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe
Size

52KB
MD5

d6991ed520bb71033a36d94509f44c07
SHA1

f2c4c6c27fdf63dc6adedf197d4731d863272ec8
SHA256

46dc099e6e92e1de7e64fff9b66073008148e803ff931218bff0786ee6fae405
SHA512

360ba7088dada96d48e0c7749eb15d1baaa29a84cf70b66c228b643ac000d41d2b5da4f9337553690cd386ec6a76ee88561c0045a43a5448be9a3cd0313993ff
SSDEEP

768:LXsboeblozOtvdnHmw8DAQFU02mgWkXDCncoh+aHSTzavkLD5x5DPH6ui7gt1r7j:Ls36nO00VCncyHQHLDVz6Ut1CsWSK

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	vmdetdhc.exe

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	vmdetdhc.exe

Loads dropped DLL 2 IoCs

pid	Process
1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe
1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1812-0-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/files/0x0008000000017409-8.dat	upx
behavioral1/memory/1724-13-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/1724-19-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/1812-21-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vmdetdhc.exe = "C:\\Windows\\system32\\vmdetdhc.exe"	vmdetdhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vmdetdhc.exe = "C:\\Windows\\system32\\vmdetdhc.exe"	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vmdetdhc.exe	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vmdetdhc.exe	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vmdetdhc.exe	vmdetdhc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ResetTest.txt	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmdetdhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe
1724	vmdetdhc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1724	1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe	30
PID 1812 wrote to memory of 1724	1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe	30
PID 1812 wrote to memory of 1724	1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe	30
PID 1812 wrote to memory of 1724	1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2792	1724	vmdetdhc.exe	31
PID 1724 wrote to memory of 2792	1724	vmdetdhc.exe	31
PID 1724 wrote to memory of 2792	1724	vmdetdhc.exe	31
PID 1724 wrote to memory of 2792	1724	vmdetdhc.exe	31
PID 1812 wrote to memory of 2684	1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe	32
PID 1812 wrote to memory of 2684	1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe	32
PID 1812 wrote to memory of 2684	1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe	32
PID 1812 wrote to memory of 2684	1812	d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\vmdetdhc.exe
  C:\Windows\system32\vmdetdhc.exe -Start
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c erase /F /A "C:\Windows\SysWOW64\vmdetdhc.exe" > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F /A "C:\Users\Admin\AppData\Local\Temp\d6991ed520bb71033a36d94509f44c07_JaffaCakes118.exe" > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\Beep.sys

Filesize
13KB

MD5
2c3482aa3bf0a80b04d1ae28432d508a

SHA1
b13c9a85e5d09438e9f201f3ea0a94b7b087c6a3

SHA256
e31f235499693b0a217e47426f591d4c946453a5db918ba7727159b4cae992ce

SHA512
1de92c90b7c8aa049dc8eece40363aef214830cf24c5e83ae33253d10c071a3ea68b7e6f7832743c5de177cdfb5843c2dd3dd78dae5c3cffdec3b42203921ea9

Download Submit
C:\Windows\SysWOW64\vmdetdhc.exe

Filesize
52KB

MD5
d6991ed520bb71033a36d94509f44c07

SHA1
f2c4c6c27fdf63dc6adedf197d4731d863272ec8

SHA256
46dc099e6e92e1de7e64fff9b66073008148e803ff931218bff0786ee6fae405

SHA512
360ba7088dada96d48e0c7749eb15d1baaa29a84cf70b66c228b643ac000d41d2b5da4f9337553690cd386ec6a76ee88561c0045a43a5448be9a3cd0313993ff

Download Submit
memory/1724-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1724-19-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1812-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1812-11-0x00000000003D0000-0x00000000003F8000-memory.dmp

Filesize
160KB

Download
memory/1812-10-0x00000000003D0000-0x00000000003F8000-memory.dmp

Filesize
160KB

Download
memory/1812-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads