745d89b49a8658aa910db4df7d1ecb6cabc2601750e18e9cc89f6ed7f0baf276

General

Target

f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe
Size

4.7MB
MD5

f543a5a24bd2bc09121de19ce90a8697
SHA1

1c84d481b74eb05f507dbe3abbad73d5d480991f
SHA256

745d89b49a8658aa910db4df7d1ecb6cabc2601750e18e9cc89f6ed7f0baf276
SHA512

a7817a426b3414167ab1ef22132167af9c656cdbef12c358f207d847ede9daa52ae5446924a1c2dee126d53de4a86c1737b08233e5b7d5e84c592fe3df98ee9a
SSDEEP

98304:c1wJ4X3IT06wWXuycm/iAofR5N1yvA1pYAWBcrKFrSJSnMsEXXnZuJK:cKKWYbycm/iAofR5vyvCYIeSfsAZuk

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
316	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe
316	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe
316	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe
316	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe
316	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsExplorer.exe"	reg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/944-0-0x000000013F570000-0x000000013F5D6000-memory.dmp	upx
behavioral1/memory/316-14-0x000000013F570000-0x000000013F5D6000-memory.dmp	upx
behavioral1/memory/944-27-0x000000013F570000-0x000000013F5D6000-memory.dmp	upx
behavioral1/memory/316-30-0x000000013F570000-0x000000013F5D6000-memory.dmp	upx
behavioral1/memory/316-33-0x000000013F570000-0x000000013F5D6000-memory.dmp	upx
behavioral1/memory/944-41-0x000000013F570000-0x000000013F5D6000-memory.dmp	upx

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2104	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 316	944	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe	31
PID 944 wrote to memory of 316	944	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe	31
PID 944 wrote to memory of 316	944	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe	31
PID 316 wrote to memory of 2180	316	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe	32
PID 316 wrote to memory of 2180	316	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe	32
PID 316 wrote to memory of 2180	316	f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2104	2180	cmd.exe	34
PID 2180 wrote to memory of 2104	2180	cmd.exe	34
PID 2180 wrote to memory of 2104	2180	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\Temp\f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f543a5a24bd2bc09121de19ce90a8697_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowsExplorer.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowsExplorer.exe"
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI9442\MSVCR90.dll

Filesize
629KB

MD5
552cf56353af11ce8e0d10ee12fdcd85

SHA1
6ab062b709f851a9576685fe0410ff9f1a4af670

SHA256
e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012

SHA512
122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9442\_socket.pyd

Filesize
49KB

MD5
f9b160a08dacc271b8b7ad1516d88330

SHA1
762698430bbfe5b5d52756b969fe7a757ce07a33

SHA256
7ddf74ac35a6dfa24c4f96acd058829fc934b798af910ed2a58d9b8ef8a26511

SHA512
5f1666a63e1a5a9d788556899d2a1ddeb28a33c4aac9273c706c35fe7ff3feeb0138a2e75e6f9540560f8df5717a9b0e264684f27c13277db632cfccd506aa2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9442\_ssl.pyd

Filesize
2.0MB

MD5
16bbb7e72d190e6712d923dbc854a45f

SHA1
2913c4d3b9f0c708845252e863518d9bdaea5aac

SHA256
a9d0fdc952d5bb1ba7f809a6fa7ba9418414d5a10f4a7d429f680eac22d6a322

SHA512
906f16928e322addf52aad4e21265650b82853ae73e39ec60a80effd205d75bf5b4183bac1cd55f853bbcfdc84c4fb2694acff2098c32d93175aeefd3cdff5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9442\reverse_backdoor_p2.exe.manifest

Filesize
1KB

MD5
b81d4c45f249bcbbbcb0429143eda454

SHA1
935f78d8e9c72a6ab47e8dbf791f20e6edccb685

SHA256
f259b42e41d2474143e79d6e63db540bab266d7461c67d4156e63dcc8a230348

SHA512
4441cd7c7c1e687513dce6912a78e43eee02e8aeeac31b27d47b1b0481475de54697a13e69ced7c85924a6b3aee3a95e8bbd11189b86267ed8efb16cbc89eefc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9442\bz2.pyd

Filesize
90KB

MD5
a1950d15ae7fadd5b203639f3965f690

SHA1
dd09dfee5577feca2ce25d9cc5091933ca580adb

SHA256
baa75ad550784c5c5bada51cb565784a04f267fad708e6611b0cc3dc6ae0c1ed

SHA512
b0ca2e27e0fa77a58c7a56d66bf01fca152cb784e11ced7e247b092864f5a81b6cde353adfe58193d660f9be7b37c8076a6ca75390d4b34228b5359a3a884c88

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9442\python27.dll

Filesize
3.3MB

MD5
7d70c8d8fc3c80a0dd514a25ebcab3d7

SHA1
1bc65d764a012bba355d3a8f57a11e18fd3bb636

SHA256
3cd15cca3e7db57da0a4808b6602261763c5e31f807083c59deaffcc0649b743

SHA512
5e03aaec836bd429fe7577628161af4a18ee881338fd31f5634aec953f473ba078a888d6fa5af0d7a091048fa8516de28adf649a81f4a6b52325cb85a71ccf65

Download Submit
memory/316-14-0x000000013F570000-0x000000013F5D6000-memory.dmp

Filesize
408KB

Download
memory/316-30-0x000000013F570000-0x000000013F5D6000-memory.dmp

Filesize
408KB

Download
memory/316-33-0x000000013F570000-0x000000013F5D6000-memory.dmp

Filesize
408KB

Download
memory/944-0-0x000000013F570000-0x000000013F5D6000-memory.dmp

Filesize
408KB

Download
memory/944-27-0x000000013F570000-0x000000013F5D6000-memory.dmp

Filesize
408KB

Download
memory/944-28-0x00000000000D0000-0x0000000000136000-memory.dmp

Filesize
408KB

Download
memory/944-41-0x000000013F570000-0x000000013F5D6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads