458bfef45ad8cde63e8c804e95c38f1013ac7adb15e522b9127bc54c52fd39bd

General

Target

e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe
Size

177KB
MD5

e0e79865361fdb4f053f245bf6ae0555
SHA1

d4ae9140ae1b3289bfc728a0730d1e3645bdd050
SHA256

458bfef45ad8cde63e8c804e95c38f1013ac7adb15e522b9127bc54c52fd39bd
SHA512

d4d7fd0978c1cc2e0a742006568304bb4771bed4363a16e7f667e2d7370e76a204c015a57924aa4fe04d21c0d96da8ad9f63714f950261700c3c8de2cadc2858
SSDEEP

3072:vazL6x7laEmOwjYzUAcyXtRflxzmA2J5d1msUZjEU6l:veL6QDEzJFrWQssjHM

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1604-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/436-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/436-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/436-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1604-16-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1604-79-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3100-81-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3100-83-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/1604-197-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 436	1604	e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe	91
PID 1604 wrote to memory of 436	1604	e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe	91
PID 1604 wrote to memory of 436	1604	e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe	91
PID 1604 wrote to memory of 3100	1604	e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe	96
PID 1604 wrote to memory of 3100	1604	e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe	96
PID 1604 wrote to memory of 3100	1604	e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:436
- C:\Users\Admin\AppData\Local\Temp\e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e0e79865361fdb4f053f245bf6ae0555_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4656,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
1⤵
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3EA2.172

Filesize
1KB

MD5
20942589899cf02e99d20999a0c44e24

SHA1
051653e9449030220c68c70d8b729d15154983c1

SHA256
540e782735765d76ff48855125abcd5c077e1b3ec8ec873b8372a075ab0cee87

SHA512
0c1c8db24ba5ddecb41b210da89a0fab065d3f7bf2d0cf8e816a79002ffb2158dc26d448a1fabcb8bc48317716b473d1461ed76a80e8c40bc032d9c419676f93

Download Submit
C:\Users\Admin\AppData\Roaming\3EA2.172

Filesize
600B

MD5
7b39e66cca9d465f2c612d0c6fc4e5ec

SHA1
7a690986be9c3bb5a9e5f934ce79b2cbb0fde9c6

SHA256
b686d50c959f7d1adc38cb0b6dcededa57b1970e38d8d9b5be8c1a744bb55a9c

SHA512
1a459a5d2ea2cca4795cc966283720318e52ee7ab39fd46c5fe0f5b19c94c14c6f3c591c402b0501919f74e456f19ae13244deb06fcd62b8903bb3e4c613813f

Download Submit
C:\Users\Admin\AppData\Roaming\3EA2.172

Filesize
996B

MD5
10a752ddf730ef8ad6748d87365eb1df

SHA1
fcac760fe4246d2f07b011d1b992fc83fc4eb1e4

SHA256
f97bf6c7802627bafe51e642254566483bcaef13675fd6d1078a39f229333aa2

SHA512
3397e2d3ae01de8fbc2735d6e647a8d6e613d97e838f4da7f144684d66267d3cf2554ef6fd3c726d1d205ffcdaba7284b255b459dca6afff356425f1848f979f

Download Submit
memory/436-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/436-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/436-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1604-16-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1604-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1604-79-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1604-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1604-197-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3100-81-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3100-83-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads