c8c1be11b7eadaef5fd7d78d2d6c4d9944f6f59b783b4f4b7c7f3eac8e68143d

General

Target

efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
Size

3.8MB
MD5

efb9891ddb30cb3dea7dfbe51c295a15
SHA1

987be11a59a129cc0d4e71fcfddeb3adf596e262
SHA256

c8c1be11b7eadaef5fd7d78d2d6c4d9944f6f59b783b4f4b7c7f3eac8e68143d
SHA512

cfb93d327b9914e831bce6932f09be7d809c25418e401f39182515082291d16fc4883fcdb93b7bb2fed3bc753de00e61371aaf4d00e0a6c68fbc4c0e37424487
SSDEEP

98304:+znOEj82saUwGJX87Q2iLcJ6Jg4G+SAdR:+n9slwGJXqvJ6JgdU

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2956-0-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2956-12-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2296-5-0x00000000008C0000-0x0000000001EC7000-memory.dmp	upx
behavioral1/memory/2296-8-0x00000000008C0000-0x0000000001EC7000-memory.dmp	upx
behavioral1/memory/2296-13-0x00000000008C0000-0x0000000001EC7000-memory.dmp	upx
behavioral1/memory/2296-7-0x00000000008C0000-0x0000000001EC7000-memory.dmp	upx
behavioral1/memory/2296-15-0x00000000008C0000-0x0000000001EC7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\System32\\svchosste.exe"	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2956-12-0x0000000000400000-0x00000000004BB000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\RGR.SYS	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchosste.exe	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchosste.exe	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 2296	2956	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2688	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2296	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2296	2956	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2296	2956	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2296	2956	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2296	2956	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2296	2956	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2296	2956	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	31
PID 2296 wrote to memory of 2748	2296	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	32
PID 2296 wrote to memory of 2748	2296	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	32
PID 2296 wrote to memory of 2748	2296	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	32
PID 2296 wrote to memory of 2748	2296	efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe	32
PID 2748 wrote to memory of 2688	2748	cmd.exe	34
PID 2748 wrote to memory of 2688	2748	cmd.exe	34
PID 2748 wrote to memory of 2688	2748	cmd.exe	34
PID 2748 wrote to memory of 2688	2748	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2296-1-0x00000000008C0000-0x0000000001EC7000-memory.dmp

Filesize
22.0MB

Download
memory/2296-3-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2296-5-0x00000000008C0000-0x0000000001EC7000-memory.dmp

Filesize
22.0MB

Download
memory/2296-8-0x00000000008C0000-0x0000000001EC7000-memory.dmp

Filesize
22.0MB

Download
memory/2296-13-0x00000000008C0000-0x0000000001EC7000-memory.dmp

Filesize
22.0MB

Download
memory/2296-14-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2296-7-0x00000000008C0000-0x0000000001EC7000-memory.dmp

Filesize
22.0MB

Download
memory/2296-15-0x00000000008C0000-0x0000000001EC7000-memory.dmp

Filesize
22.0MB

Download
memory/2296-16-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2956-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2956-12-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads