bcc1bc5adf4111a958b33dfb3f4e11d86e6f1e0ab28871763954e595f13cd41f

General

Target

fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
Size

246KB
MD5

fabc1747c8d87c3f3a5336304d6dc4d6
SHA1

a6ef9922f608c165a2f4ecbfdf065d6707746ee4
SHA256

bcc1bc5adf4111a958b33dfb3f4e11d86e6f1e0ab28871763954e595f13cd41f
SHA512

de9c056123ab093a4a7a1b7f3c7656d266d8799bd0629266827f07083dd31b1e5d05b7a47635710570e2f398b818534076b4d1c687bc20b5bb720aecc7666d42
SSDEEP

6144:+a6IbqI5KDZyHnWieWXlWj3fIWP92wX43WS5Pj7/6Du59VbH:+aS4K+ojII90GSdzUSVbH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2344	system
2192	eciimw.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\x86-ms6012453.log	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\x86-ms6012452.log	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 2952	2192	eciimw.exe	35

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x000a0000000122d0-6.dat	upx
behavioral1/memory/2344-11-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2336-13-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x00070000000186ca-14.dat	upx
behavioral1/memory/2952-20-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2192-21-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\eciimw.exe	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2084	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eciimw.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2336	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
2336	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
2344	system

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2344	2336	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2344	2336	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2344	2336	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2344	2336	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1632	2336	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1632	2336	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1632	2336	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1632	2336	fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe	31
PID 1632 wrote to memory of 2084	1632	cmd.exe	33
PID 1632 wrote to memory of 2084	1632	cmd.exe	33
PID 1632 wrote to memory of 2084	1632	cmd.exe	33
PID 1632 wrote to memory of 2084	1632	cmd.exe	33
PID 2192 wrote to memory of 2952	2192	eciimw.exe	35
PID 2192 wrote to memory of 2952	2192	eciimw.exe	35
PID 2192 wrote to memory of 2952	2192	eciimw.exe	35
PID 2192 wrote to memory of 2952	2192	eciimw.exe	35
PID 2192 wrote to memory of 2952	2192	eciimw.exe	35
PID 2192 wrote to memory of 2952	2192	eciimw.exe	35

C:\Users\Admin\AppData\Local\Temp\fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fabc1747c8d87c3f3a5336304d6dc4d6_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336
- C:\system
  C:\system
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc start WMMNetworkEbn
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\sc.exe
    sc start WMMNetworkEbn
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2084

C:\Program Files\eciimw.exe
"C:\Program Files\eciimw.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\windows\SysWOW64\svchost.exe
  C:\windows\system32\svchost.exe
  2⤵
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\eciimw.exe

Filesize
10.2MB

MD5
95a79cd0b349b41039119abee058b2e4

SHA1
aae2934b5ce56573913a71001177500ff292fcdb

SHA256
9ba459784bc8028fa514714b23e7ecfb509b9e35f7925ed0f5f14ea956792e9d

SHA512
ea6fc97ac1c6f158100369a0234e64ccdb104eca9fb5ed5174d0d301ef9b47a599081b7032ed4e6e3b9830f912e19a2b896fd541c6cc1e8e4c65533db3b7783a

Download Submit
C:\system

Filesize
8.2MB

MD5
02cfded65e07aee30197005a46709f41

SHA1
220ef49281d7831dc07be631efdf9bb7530760f3

SHA256
bd5f5cbaf8c1c0df5dad25c19bc10496380fdecb2f519428a41c285d21cccf40

SHA512
d92dc05a1fffa5fdc97ab08dd17a8b385af212e1d19f88572758e24295fabf9b66e732d6ee5c0630a7c4215c185e9cc37a501dcb78614692a2834a5aa47c4099

Download Submit
memory/2192-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2336-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2336-8-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/2336-7-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/2336-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2344-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2952-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2952-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing