4faadb8a92a2785f27b3965f38a7efb2478afa1bf47267af459fc6116ea80aff

General

Target

ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
Size

36KB
MD5

ee8cf8f9666059043b0bb49280dc9a9c
SHA1

87b94e0f1a4637815cf1ceb5ffa56d1a5cd5b0d6
SHA256

4faadb8a92a2785f27b3965f38a7efb2478afa1bf47267af459fc6116ea80aff
SHA512

7f382fe82c0cbe498c3d1ac0c21308f35b7e198d13003b94b9d50a38aa5c3288a2fb86796d0c4dd47d541e21534ecd2a6056bcdcab50c7e214bfc653b4b3cfa4
SSDEEP

768:j9SL0aZNB0pOAL1xZ8gxXN6WdcwG/+u3bEAW44/Q9pB:j20a10Q+LZ7WccwGm0bEtfQ9pB

Score

10^/10

discovery evasion execution upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2764	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2764	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2408-24-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ksuser.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\midimap.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\comres.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YUksuser.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\YUksuser.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YUmidimap.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YUcomres.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\comres.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysapp8.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\ksuser.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Program Files\360\360se3\comres.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Program Files\SogouExplorer\ksuser.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Program Files\SogouExplorer\midimap.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\midimap.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\comres.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Program Files\360\360se3\ksuser.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Program Files\360\360se3\midimap.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
File created	C:\Program Files\SogouExplorer\comres.dll	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2116	sc.exe
2376	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2540	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	31
PID 2408 wrote to memory of 2540	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	31
PID 2408 wrote to memory of 2540	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	31
PID 2408 wrote to memory of 2540	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	31
PID 2408 wrote to memory of 2116	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2116	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2116	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2116	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	32
PID 2408 wrote to memory of 2376	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	34
PID 2408 wrote to memory of 2376	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	34
PID 2408 wrote to memory of 2376	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	34
PID 2408 wrote to memory of 2376	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	34
PID 2408 wrote to memory of 2764	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	37
PID 2408 wrote to memory of 2764	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	37
PID 2408 wrote to memory of 2764	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	37
PID 2408 wrote to memory of 2764	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	37
PID 2408 wrote to memory of 2764	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	37
PID 2408 wrote to memory of 2764	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	37
PID 2408 wrote to memory of 2764	2408	ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe	37
PID 2540 wrote to memory of 2920	2540	net.exe	38
PID 2540 wrote to memory of 2920	2540	net.exe	38
PID 2540 wrote to memory of 2920	2540	net.exe	38
PID 2540 wrote to memory of 2920	2540	net.exe	38

C:\Users\Admin\AppData\Local\Temp\ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee8cf8f9666059043b0bb49280dc9a9c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1726871416.dat, ServerMain c:\users\admin\appdata\local\temp\ee8cf8f9666059043b0bb49280dc9a9c_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1726871416.dat

Filesize
37KB

MD5
3dc04754c7c9d30b36ed30f14f87d92b

SHA1
caaf3310708787bab3edca673130e0f3480bc594

SHA256
fe9abd6c5009864f57f5a7eb8a05ddbf382aed68f7b99d15724843a5bce6a012

SHA512
a0a4ebe544bacdae90b71d37071c2e6b97fe0badf388e1e4a981ab8c645e9b1098a752502cab5f0b6326bc18cf665823d0df253706bf6c38ccfd0b2d4801b707

Download Submit
memory/2408-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2408-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing