badace7712a39b1a5481767b544d84c88673a6888d9dbfb89e094e09d528c288

General

Target

ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe
Size

11KB
MD5

ea99435df70935d1b2171bca79c31a0b
SHA1

8e892ace8abb5380e7b75a64bc771c00c60f06ed
SHA256

badace7712a39b1a5481767b544d84c88673a6888d9dbfb89e094e09d528c288
SHA512

c1c846e54c585a51a085259be314f0cc9e781817195b217c16306376b148de0e62265a3083dba08a5385dc988972766f112c649cd45c85931dd903d3dd4a725c
SSDEEP

192:Xe24k6QgGGIpTBLPOjxrOdK8iveWnCMd7NJ:XF4kYGGIpTB7exrD1z

Score

8^/10

discovery persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2188	eskislk.exe

Loads dropped DLL 2 IoCs

pid	Process
2856	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe
2856	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2856-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000016d3f-3.dat	upx
behavioral1/memory/2856-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2188-16-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\eskisl.dll	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eskislk.exe	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\eskislk.exe	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2188	2856	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe	30
PID 2856 wrote to memory of 2188	2856	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe	30
PID 2856 wrote to memory of 2188	2856	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe	30
PID 2856 wrote to memory of 2188	2856	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe	30
PID 2856 wrote to memory of 2860	2856	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe	31
PID 2856 wrote to memory of 2860	2856	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe	31
PID 2856 wrote to memory of 2860	2856	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe	31
PID 2856 wrote to memory of 2860	2856	ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\eskislk.exe
  C:\Windows\system32\eskislk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Privilege Escalation

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ea99435df70935d1b2171bca79c31a0b_JaffaCakes118.exe.bat

Filesize
210B

MD5
963cef177f5fd828569e459c9471accf

SHA1
72f1b7658721d9379069a7b446ead6dc5dfe7eb0

SHA256
fca94cfed929e23bf77a01bdb1d53b8b67fad17af3e039f182fa848711ff8342

SHA512
c1e01adbc6d791c6d1400b79c83434711c5870c6b16668a54211dbd4a1514145f4b3e46053b8a9d37a4956f081fe7ee1a7e2aefae12d383a161f4bf15a86bb58

Download Submit
\Windows\SysWOW64\eskislk.exe

Filesize
11KB

MD5
ea99435df70935d1b2171bca79c31a0b

SHA1
8e892ace8abb5380e7b75a64bc771c00c60f06ed

SHA256
badace7712a39b1a5481767b544d84c88673a6888d9dbfb89e094e09d528c288

SHA512
c1c846e54c585a51a085259be314f0cc9e781817195b217c16306376b148de0e62265a3083dba08a5385dc988972766f112c649cd45c85931dd903d3dd4a725c

Download Submit
memory/2188-16-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2856-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2856-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2856-10-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2856-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2856-13-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2856-14-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing