b51b99f129a3af375b9a9a2642dbbbc923b8c12c9d10c54bb7e63b558e6225c6

General

Target

ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe
Size

183KB
MD5

ee7750d73d8ec95d491f1fbc49cb7d9c
SHA1

3b13140716d7614d8bf3c037038327205f7789e1
SHA256

b51b99f129a3af375b9a9a2642dbbbc923b8c12c9d10c54bb7e63b558e6225c6
SHA512

e9fe3023c8ccd59f84824dea524d732cb62f38a2e7f3edde436d8585a44a77cf8002355c4981737c0ff98656b90df6f703042cee044d28840c1fc92c282d5a4f
SSDEEP

3072:H//rqUS66P1aJJPFvgFxAkjuqxJX2hSq2XGGddnxAJFi+BYHJx305kZSL3:fOUS66PAlJgbAkCqxJF1BdnLdx3055

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2212-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2388-8-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2388-9-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2388-10-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2212-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/5104-77-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2212-132-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2212-179-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2388	2212	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	83
PID 2212 wrote to memory of 2388	2212	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	83
PID 2212 wrote to memory of 2388	2212	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	83
PID 2212 wrote to memory of 5104	2212	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	91
PID 2212 wrote to memory of 5104	2212	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	91
PID 2212 wrote to memory of 5104	2212	ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ee7750d73d8ec95d491f1fbc49cb7d9c_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6C77.A39

Filesize
1KB

MD5
57ce92a490a5bd35f74d86533d60b271

SHA1
33c216f14aa94ce4bf9ace8e6fc8120346b278e9

SHA256
4c385d968c915e046194ab28148ee8983aaec9bf7855654cdcbf0d76e79350f7

SHA512
9a8359674ae519c06e6c375ac189d4bfff4f4ba501c7e93b1ebe74f94814f6d965fa0bc4c5ea5d3911c99ffea86f1704ae14579e93d07d884180597da50c740a

Download Submit
C:\Users\Admin\AppData\Roaming\6C77.A39

Filesize
600B

MD5
19cade3510d85272f17cf8c390d90408

SHA1
95b79082b76146ebf55c41d48e179c4586684e4e

SHA256
b07a5dfdb8ace34d2e9603b0802f37adec5b987c7331b95611fe6f4833de6304

SHA512
e1f4992f91db73a8b8819b6e251bb835ce499c0d8707147eaf510753e798c8bbc70f6db59bd9d9fc3521f1b52c411df73d579da905e93dd7da1d8ac3c6c45a6c

Download Submit
C:\Users\Admin\AppData\Roaming\6C77.A39

Filesize
996B

MD5
a360b7562e5560c3b2bd2c95a3479b62

SHA1
fe82931ac84c0cd69b3253a67953a3db2452d935

SHA256
6874f8dab2222b8f2265b5f505b7dcf8b8753785dae35731f352951f8ac1e7d6

SHA512
b29975acb1f36260d7362c72eea1bac00bfd1fbc30bb7333b6748bc2a65cd380592d51796baebf2188a8ec9253b4092c4220bfd230293d848fd0d1a49d3f63ef

Download Submit
memory/2212-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2212-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2212-132-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2212-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2212-179-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2388-9-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2388-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2388-8-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5104-76-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5104-77-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads