5129bca4bb22a33e7921697bbe858339abf7dcc4ee0b829a3e36f5fb2463e19e

General

Target

eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Size

186KB
MD5

eaba9f90a8f41bc149c578fe6350875f
SHA1

509aa36760737e9f4d038331137798adfba25dab
SHA256

5129bca4bb22a33e7921697bbe858339abf7dcc4ee0b829a3e36f5fb2463e19e
SHA512

0d3e09a3d4ec62d117ecbb32a3a8708f8a15f521ec964d24d6bf8361507032e50e8827ea1e67dd0316a1611553382900d7f8b0bbfd3d9d314dfb7ea2baf8a1bd
SSDEEP

3072:4se+a4qmFBRCjNbc2NalmlwcuuZZCceyjLcjs8ZNXcbO9CsW5jWPO4kK03qYK:4seV45ChNL5uuZEQjCs4sbqVWtq

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\vqzylfrz\Parameters\ServiceDll = "C:\\Windows\\system32\\wumdcmo.dll"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\vqzylfrz\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2720-0-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2720-13-0x0000000000280000-0x00000000002A4000-memory.dmp	upx
behavioral1/memory/2720-18-0x0000000000280000-0x00000000002A4000-memory.dmp	upx
behavioral1/memory/2720-17-0x0000000000280000-0x00000000002A4000-memory.dmp	upx
behavioral1/memory/2720-16-0x0000000000280000-0x00000000002A4000-memory.dmp	upx
behavioral1/memory/2720-20-0x0000000000350000-0x0000000000393000-memory.dmp	upx
behavioral1/memory/2720-33-0x0000000000450000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/2720-34-0x0000000000450000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/2720-35-0x0000000000450000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/2720-42-0x0000000000450000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/2720-43-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2720-45-0x0000000000280000-0x00000000002A4000-memory.dmp	upx
behavioral1/memory/2664-46-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2664-47-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2664-59-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2664-61-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2664-62-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2664-63-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2664-60-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2664-66-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4E6E2E-B95E-4556-925E-41001F6C7052}	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\frswkort\Impersonate = "0"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\frswkort\DLLName = "wumdcmo.dll"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\frswkort\Logoff = "WLEventLogoff"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\frswkort\Logon = "WLEventLogon"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\frswkort	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\frswkort	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\frswkort\Asynchronous = "0"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wumdcmo.dll	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dxzzdwv.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\ProgID\ = "Nxnywbmd"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\InprocServer32\ = "c:\\windows\\SysWow64\\wumdcmo.dll"	rundll32.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\InprocServer32	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\InprocServer32\ThreadingModel = "Apartment"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nxnywbmd\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\InprocServer32\ = "c:\\windows\\SysWow64\\wumdcmo.dll"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Nxnywbmd\CLSID	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\ProgID	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nxnywbmd\CLSID\ = "{8A4E6E2E-B95E-4556-925E-41001F6C7052}"	rundll32.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\ProgID	rundll32.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}	rundll32.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Nxnywbmd	rundll32.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Nxnywbmd\CLSID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nxnywbmd\CLSID\ = "{8A4E6E2E-B95E-4556-925E-41001F6C7052}"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\ProgID\ = "Nxnywbmd"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Nxnywbmd	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nxnywbmd\	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\Version = "82"	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Key created	\Registry\Machine\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A4E6E2E-B95E-4556-925E-41001F6C7052}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeBackupPrivilege	2072	vssvc.exe
Token: SeRestorePrivilege	2072	vssvc.exe
Token: SeAuditPrivilege	2072	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2664	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2664	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2664	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2664	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2664	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2664	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2664	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2936	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2936	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2936	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2936	2720	eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaba9f90a8f41bc149c578fe6350875f_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Sets service image path in registry
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Windows\system32\wumdcmo.dll",DllMain -
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2664
- C:\Windows\SysWOW64\at.exe
  C:\Windows\system32\at.exe 12:0:00 /every:Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\wumdcmo.dll",DllMain -
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Browser Extensions

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wumdcmo.dll

Filesize
100KB

MD5
6d14282bdf8e4094b84310f29b5a178e

SHA1
7f21d2a3659d2c55ad0fdf73b9948325af385041

SHA256
59294399d2c9d0b86ba85628ea09d9cfcda18b502b8f9c300b3621e8d3d024aa

SHA512
bc51566c7b0611621316ed1cc5887fb4dec93c33eccb8a664ac34aaad5a897b52809cd7c6b81bc76d61149f4510e8ddf7004bf3be8bab12985258b0e25cabf61

Download Submit
memory/2664-41-0x00000000001E0000-0x0000000000227000-memory.dmp

Filesize
284KB

Download
memory/2664-66-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-65-0x00000000001E0000-0x0000000000227000-memory.dmp

Filesize
284KB

Download
memory/2664-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-62-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-61-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-59-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-54-0x0000000002270000-0x0000000002380000-memory.dmp

Filesize
1.1MB

Download
memory/2664-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2720-23-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2720-24-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2720-35-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2720-33-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2720-42-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2720-43-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-44-0x0000000000350000-0x0000000000397000-memory.dmp

Filesize
284KB

Download
memory/2720-45-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/2720-32-0x0000000000350000-0x0000000000397000-memory.dmp

Filesize
284KB

Download
memory/2720-34-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2720-25-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2720-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-20-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2720-16-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/2720-17-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/2720-18-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/2720-13-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/2720-8-0x0000000001F60000-0x0000000002070000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads