9948310d250dacd1f19d2b80510e86dd0403146b3503abd5ef294672ecb66066

General

Target

e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
Size

124KB
MD5

e0433cbd5cbbcc60df0a814cc75b057b
SHA1

03c2fc3f3d2dc855960ed55f63b356c2db6b72d2
SHA256

9948310d250dacd1f19d2b80510e86dd0403146b3503abd5ef294672ecb66066
SHA512

2b4d476a181d17f002273a3ceee20c195ef0238bd9b31d3269c7741729198f091e175abe141f505109f7713deb9f6624e1ad4823c8eebea4fdf1782009f63172
SSDEEP

1536:qFDLNGB0Quqle7WJAjwcY7LtKnBDka58g0ApRHSIWXvpNQa9lq5cbrRIJx7w7hyg:qNL7nwxiO7LtKBQ2bjWXxr9EUrfCQJX

Score

10^/10

discovery evasion persistence privilege_escalation upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1824	netsh.exe

Deletes itself 1 IoCs

pid	Process
2608	lsass.exe

Executes dropped EXE 2 IoCs

pid	Process
656	lsass.exe
2608	lsass.exe

Loads dropped DLL 3 IoCs

pid	Process
2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
656	lsass.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2716-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2716-2-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0065000000011c27-31.dat	upx
behavioral1/memory/656-49-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2844	2716	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	30
PID 656 set thread context of 2608	656	lsass.exe	35

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
2608	lsass.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2844	2716	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2844	2716	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2844	2716	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2844	2716	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2844	2716	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2844	2716	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2844	2716	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2844	2716	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2844	2716	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	30
PID 2844 wrote to memory of 1824	2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	32
PID 2844 wrote to memory of 1824	2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	32
PID 2844 wrote to memory of 1824	2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	32
PID 2844 wrote to memory of 1824	2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	32
PID 2844 wrote to memory of 656	2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	34
PID 2844 wrote to memory of 656	2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	34
PID 2844 wrote to memory of 656	2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	34
PID 2844 wrote to memory of 656	2844	e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe	34
PID 656 wrote to memory of 2608	656	lsass.exe	35
PID 656 wrote to memory of 2608	656	lsass.exe	35
PID 656 wrote to memory of 2608	656	lsass.exe	35
PID 656 wrote to memory of 2608	656	lsass.exe	35
PID 656 wrote to memory of 2608	656	lsass.exe	35
PID 656 wrote to memory of 2608	656	lsass.exe	35
PID 656 wrote to memory of 2608	656	lsass.exe	35
PID 656 wrote to memory of 2608	656	lsass.exe	35
PID 656 wrote to memory of 2608	656	lsass.exe	35

C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1824
- - C:\Users\Admin\AppData\Roaming\lsass.exe
    /d C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Users\Admin\AppData\Roaming\lsass.exe
      C:\Users\Admin\AppData\Roaming\lsass.exe /d C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
      4⤵
      Modifies WinLogon for persistence
      Deletes itself
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\lsass.exe

Filesize
124KB

MD5
f3d079d079bc923c8c52c15c97defc01

SHA1
2905e5e990ca4444a6295f2567f3453bd240afd4

SHA256
a2ce3376897db911d68986bdb5540d634bbf0a812e0ade2881076687674374fc

SHA512
cf244e3f43bfb7f8d25edcc478e1f8943c97acbbcf463e2543bd5c91fb735c74a5859212b758a876147bdd87143b280fd10e6d05d7e6d892fac4c3722bdab8fb

Download Submit
memory/656-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/656-50-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/2608-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2608-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2716-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2716-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2716-3-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2844-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2844-53-0x0000000000420000-0x00000000004FF000-memory.dmp

Filesize
892KB

Download
memory/2844-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2844-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2844-38-0x00000000031F0000-0x000000000321A000-memory.dmp

Filesize
168KB

Download
memory/2844-39-0x00000000031F0000-0x000000000321A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads