ddaa9f1e4d09add675e24eccf39deebc727aa9f45694ddef12aebe7b13ccd8ef

General

Target

eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe
Size

42KB
MD5

eabd019ce78357ace1d2316a36397054
SHA1

89c13864ae5f6fcc6d44149fa91affda7a97c45a
SHA256

ddaa9f1e4d09add675e24eccf39deebc727aa9f45694ddef12aebe7b13ccd8ef
SHA512

6d3d99b1a7fca1f5ad5c11ec9982d8af8a86ee1cef00c80bd6134ac3ef0b2014ac3a0e32b4587ab2592860a2f4950ac938c032fd6d7587c8b7c689c69b2ca871
SSDEEP

768:NzdmXnsMXl5H0j84tsKTidJb8nMLGypq/W2fHv8hUkKDukCul3hcpJZPYJoE0k:NoXEj86sKs8nMXq/pfBkKDudQmp2

Score

7^/10

defense_evasion discovery persistence privilege_escalation upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016dd2-14.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2428	AFDF.tmp

Executes dropped EXE 1 IoCs

pid	Process
2428	AFDF.tmp

Loads dropped DLL 9 IoCs

pid	Process
1880	eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe
1880	eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
780	rundll32.exe
780	rundll32.exe
780	rundll32.exe
780	rundll32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016dd2-14.dat	upx
behavioral1/memory/2376-18-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral1/memory/780-24-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral1/memory/780-29-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral1/memory/2376-30-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral1/memory/780-32-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral1/memory/780-35-0x0000000010000000-0x000000001001C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\360Update = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\360data\\foxgeve.dll\",_RunAs@16"	rundll32.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
780	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AFDF.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "C:\\Users\\Admin\\AppData\\Local\\360data\\3c1ae2e8.z,1341477088,-1038824287,-1814625877"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2428	1880	eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe	30
PID 1880 wrote to memory of 2428	1880	eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe	30
PID 1880 wrote to memory of 2428	1880	eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe	30
PID 1880 wrote to memory of 2428	1880	eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2376	2428	AFDF.tmp	31
PID 2428 wrote to memory of 2376	2428	AFDF.tmp	31
PID 2428 wrote to memory of 2376	2428	AFDF.tmp	31
PID 2428 wrote to memory of 2376	2428	AFDF.tmp	31
PID 2428 wrote to memory of 2376	2428	AFDF.tmp	31
PID 2428 wrote to memory of 2376	2428	AFDF.tmp	31
PID 2428 wrote to memory of 2376	2428	AFDF.tmp	31
PID 2376 wrote to memory of 780	2376	rundll32.exe	32
PID 2376 wrote to memory of 780	2376	rundll32.exe	32
PID 2376 wrote to memory of 780	2376	rundll32.exe	32
PID 2376 wrote to memory of 780	2376	rundll32.exe	32
PID 2376 wrote to memory of 780	2376	rundll32.exe	32
PID 2376 wrote to memory of 780	2376	rundll32.exe	32
PID 2376 wrote to memory of 780	2376	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\AFDF.tmp
  "C:\Users\Admin\AppData\Local\Temp\AFDF.tmp" "C:\Users\Admin\AppData\Local\Temp\eabd019ce78357ace1d2316a36397054_JaffaCakes118.exe" "1880"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 shell32,Control_RunDLL "C:\Users\Admin\AppData\Local\360data\3c1ae2e8.z"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 "C:\Users\Admin\AppData\Local\360data\foxgeve.dll",_RunAs@16
      4⤵
      Loads dropped DLL
      Access Token Manipulation: Create Process with Token
      System Location Discovery: System Language Discovery
      PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Access Token Manipulation

1

T1134

Create Process with Token

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\360data\3c1ae2e8.z

Filesize
36KB

MD5
e7a15abfd05b2680906b47ea821ccb0e

SHA1
ab05f28bced342b3de0e6d509a22ad422dfdea2e

SHA256
d5a4e80b5b2c0c56d7a463d3a16fec532690396503f2d9f24f2e4c537184a82d

SHA512
a5de0e8f3b02c5e68f66bb5fae1c07b488f884876438845e74f89b6adea6ea3de547b3ca26b4686ba59a2d63d83ea2d649db2bcd3b45cac411d026c76eb456dd

Download Submit
\Users\Admin\AppData\Local\Temp\AFDF.tmp

Filesize
42KB

MD5
eabd019ce78357ace1d2316a36397054

SHA1
89c13864ae5f6fcc6d44149fa91affda7a97c45a

SHA256
ddaa9f1e4d09add675e24eccf39deebc727aa9f45694ddef12aebe7b13ccd8ef

SHA512
6d3d99b1a7fca1f5ad5c11ec9982d8af8a86ee1cef00c80bd6134ac3ef0b2014ac3a0e32b4587ab2592860a2f4950ac938c032fd6d7587c8b7c689c69b2ca871

Download Submit
memory/780-24-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/780-35-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/780-32-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/780-28-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/780-29-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1880-10-0x0000000000220000-0x000000000022E000-memory.dmp

Filesize
56KB

Download
memory/1880-9-0x0000000000220000-0x000000000022E000-memory.dmp

Filesize
56KB

Download
memory/1880-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1880-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2376-18-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2376-30-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2428-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2428-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads