e5b504fc20d8112fb3069d0f96c78736179611e412554a23a831ae1e305d7e4b

General

Target

fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe
Size

249KB
MD5

fb7a0477cdcbe5d1df6504f50d0c10f7
SHA1

34cd6ce68588d91f8a800c2713721058e7ca1e58
SHA256

e5b504fc20d8112fb3069d0f96c78736179611e412554a23a831ae1e305d7e4b
SHA512

0d57f8ad78431e3a1dcc2e53d05f7b0cef7a2a60397b538a7eb4e7985854dac643259e321e9616148903c205915fef14d7e2e7d3c9fd236e898a2112ae4e3429
SSDEEP

6144:N+FRX/k0Kt9SPUYCCfqORrjfhnSCo/4rTUXDutCzp1it4J:N+P/kLt9SPUzCDrhnSCiTXS

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\615578cd\\X"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2900	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
1924	X
332	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe
2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 2900	2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe	28

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2792-0-0x0000000000400000-0x0000000000447000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{d02b0115-b994-31bb-92b4-d762f1e35774}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d02b0115-b994-31bb-92b4-d762f1e35774}\u = "71"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d02b0115-b994-31bb-92b4-d762f1e35774}\cid = "7149876774568795201"	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1924	X
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2900	2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2900	2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2900	2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2900	2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2900	2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe	28
PID 2792 wrote to memory of 1924	2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe	29
PID 2792 wrote to memory of 1924	2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe	29
PID 2792 wrote to memory of 1924	2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe	29
PID 2792 wrote to memory of 1924	2792	fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe	29
PID 1924 wrote to memory of 1116	1924	X	20
PID 2900 wrote to memory of 332	2900	explorer.exe	2
PID 332 wrote to memory of 2540	332	csrss.exe	30
PID 332 wrote to memory of 2540	332	csrss.exe	30
PID 332 wrote to memory of 2636	332	csrss.exe	31
PID 332 wrote to memory of 2636	332	csrss.exe	31

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1116
- C:\Users\Admin\AppData\Local\Temp\fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fb7a0477cdcbe5d1df6504f50d0c10f7_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\explorer.exe
    00000054*
    3⤵
    - Deletes itself
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
- - C:\Users\Admin\AppData\Local\615578cd\X
    193.105.154.210:80
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1924

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2540

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\615578cd\@

Filesize
2KB

MD5
fa985c1c10a4df0ff81b3a1196aa31db

SHA1
9cdf26969d47b656c397727319d29eadaedc762a

SHA256
46aa7b9dc53bfbe9007dd8cd3a0b34b4a869d42bd4664ce6dbdf3760456b0849

SHA512
eb2d76caccc5268e35fff1ba51924594ce1c90960a2973949e2ad6df0e60ff5e64a6af95d5f5bbd8b472347a41d54b354a28d61dc13720c928e135b14b2a0f32

Download Submit
C:\Windows\system32\consrv.DLL

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\Users\Admin\AppData\Local\615578cd\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
8f3db291c489434ab67740c55b368aa0

SHA1
c2d2859f4e3b117aa04062be2d2057acb6ca8434

SHA256
0dab18174dc4e7f01cfc113834b84a00c4c27d83131b9aa47061f477be32a964

SHA512
3af95545a069fe77caea36bd76db55c070a43d4c5e85fa171ca6b44b8f6aaece6d66726eb34d7404a0f1c8e204e6f07ee1ef85c4d1519bf4122f76a9c5864ea3

Download Submit
memory/332-43-0x0000000000E00000-0x0000000000E0C000-memory.dmp

Filesize
48KB

Download
memory/332-42-0x0000000000E00000-0x0000000000E0C000-memory.dmp

Filesize
48KB

Download
memory/1116-35-0x0000000002D30000-0x0000000002D3B000-memory.dmp

Filesize
44KB

Download
memory/1116-34-0x0000000002D10000-0x0000000002D18000-memory.dmp

Filesize
32KB

Download
memory/1116-45-0x0000000002D30000-0x0000000002D3B000-memory.dmp

Filesize
44KB

Download
memory/1116-32-0x0000000002D20000-0x0000000002D2B000-memory.dmp

Filesize
44KB

Download
memory/1116-28-0x0000000002D20000-0x0000000002D2B000-memory.dmp

Filesize
44KB

Download
memory/1116-24-0x0000000002D20000-0x0000000002D2B000-memory.dmp

Filesize
44KB

Download
memory/1116-44-0x0000000002D10000-0x0000000002D18000-memory.dmp

Filesize
32KB

Download
memory/2792-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2792-1-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2792-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2792-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2900-18-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/2900-23-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/2900-33-0x0000000000060000-0x0000000000072000-memory.dmp

Filesize
72KB

Download
memory/2900-13-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads