3fa4297a33559e7a7c5676bd3f955a38148ee5820e58ed3cf13483ae5ed4abd7

General

Target

ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe
Size

164KB
MD5

ed51777d92665bb45ac892160984cd5c
SHA1

223f0ac840afdfa4bde34cbfbe0d362d9fa91fe6
SHA256

3fa4297a33559e7a7c5676bd3f955a38148ee5820e58ed3cf13483ae5ed4abd7
SHA512

721b0503e23ea81943d4ba8b46f9dc0c606c0ad724a10015039841b02821fd8de646cad555202f7e328244aecb5f11cd6722d8e45193b6122dbd2f122ca0e51d
SSDEEP

3072:ktOmSp7U9vDIZ0/zR8nLlnEXz83L60aaHm+gPMWZdvb:f+v6c6LlnEXE/g0gv

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\C6452\\0BA5D.exe"	ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2200-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4468-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4468-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4468-14-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2200-15-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2200-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4088-130-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4088-132-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2200-133-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/2200-283-0x0000000000400000-0x0000000000490000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 4468	2200	ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe	86
PID 2200 wrote to memory of 4468	2200	ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe	86
PID 2200 wrote to memory of 4468	2200	ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe	86
PID 2200 wrote to memory of 4088	2200	ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe	90
PID 2200 wrote to memory of 4088	2200	ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe	90
PID 2200 wrote to memory of 4088	2200	ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe startC:\Program Files (x86)\LP\5D9C\A30.exe%C:\Program Files (x86)\LP\5D9C
  2⤵
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ed51777d92665bb45ac892160984cd5c_JaffaCakes118.exe startC:\Program Files (x86)\5244C\lvvm.exe%C:\Program Files (x86)\5244C
  2⤵
  PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C6452\244C.645

Filesize
996B

MD5
6b7ab4ec285584a13f91594d62346583

SHA1
34d6bc3855fa1b3d5cfeecfd038535fbc6d7957f

SHA256
7eac80fe8269211b9dd4623f3332f6ec6e123e250f03a9e401f31c92da8b6727

SHA512
261c3f5e33aff06d21937ce72c6fc1cbe9a653757c0e5906b9f000e139f2f9e57ade5376ea0954dd074877e0b04dca061080394f396eb4843b49deb4f1ab4e2d

Download Submit
C:\Users\Admin\AppData\Roaming\C6452\244C.645

Filesize
600B

MD5
854897e1dd9113126990f41687108e42

SHA1
1653ef3058ed60852e7f8e7539e7855c7ff2527e

SHA256
3d13d728c148d8e9c8a2ab184f27d74074fcb77f1941a8590ca6cdbeaf33c501

SHA512
1b005f16184e057297f7fe31df101c994c3baf23e6e104d710b6686a475bb7a638e3b645ac1156d1f42a922760f02740f72a4d8a8c7d13de8280a3a01ee4e591

Download Submit
C:\Users\Admin\AppData\Roaming\C6452\244C.645

Filesize
1KB

MD5
e3bdaff86c37e2b4fbd0b28f472760f7

SHA1
4b6b74f6101d5a86741c95c066f4e5202b217edd

SHA256
690517b74d23817a5c9dc7090df915b5e242521845bc56facb8fc9eeedad188e

SHA512
5fbe4a7119278cc99ce73d7d8550c371a3cff7e88873a0eb104f76289598610cdd3e74f3492b22cd5ed05119cb8254b816663c375f6d3d3c2c058725e8e8c432

Download Submit
memory/2200-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2200-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2200-283-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2200-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2200-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2200-133-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4088-130-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4088-132-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4088-129-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4468-14-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4468-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4468-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads