219e1e07765d71bc76202499868f48a2e0d947e45a632209993e82d5902fa2e6

General

Target

fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
Size

708KB
MD5

fbedf6c745a1ca4c79079f09eb69cb02
SHA1

e55ccd05e77c22707d042280d463110fda4a69dd
SHA256

219e1e07765d71bc76202499868f48a2e0d947e45a632209993e82d5902fa2e6
SHA512

10b2dd5fc168f997190fddbb62d3763327b685f6c388482b7904327961f448844b6d456697f4a0af61de95a333d763e4e8486497587e893197fa024c960af7a6
SSDEEP

12288:BLb58E2pBHGpQiKpBIuZNNiCsRInBZqpzUF4AnjZnMei/SFfdYTQdxW8D:VeJpBniKpBPzTzqtURjZnli5kPt

Score

7^/10

discovery upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2168-0-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2052-3-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2052-11-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2052-10-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2168-14-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2052-16-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2168-18-0x0000000000400000-0x00000000004EF000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{236E5DB5-4E75-8C3E-30EE-3DC0955EF077}\ = "Outlook File Icon Extension"	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{236E5DB5-4E75-8C3E-30EE-3DC0955EF077}\InprocServer32	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{236E5DB5-4E75-8C3E-30EE-3DC0955EF077}\InprocServer32\ThreadingModel = "Apartment"	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{236E5DB5-4E75-8C3E-30EE-3DC0955EF077}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\OLKFSTUB.DLL"	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{236E5DB5-4E75-8C3E-30EE-3DC0955EF077}	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2052	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2052	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
Token: 33	2052	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2052	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2052	2168	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2052	2168	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2052	2168	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2052	2168	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2052	2168	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2052	2168	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2052	2168	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2052	2168	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2052	2168	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2052	2168	fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fbedf6c745a1ca4c79079f09eb69cb02_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2052-11-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2052-13-0x000000000040B000-0x000000000040E000-memory.dmp

Filesize
12KB

Download
memory/2052-17-0x0000000002410000-0x00000000024A4000-memory.dmp

Filesize
592KB

Download
memory/2052-3-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2052-4-0x0000000002410000-0x00000000024A4000-memory.dmp

Filesize
592KB

Download
memory/2052-9-0x0000000002410000-0x00000000024A4000-memory.dmp

Filesize
592KB

Download
memory/2052-16-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2052-12-0x0000000002410000-0x00000000024A4000-memory.dmp

Filesize
592KB

Download
memory/2052-10-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2168-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2168-14-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2168-15-0x0000000000230000-0x000000000031F000-memory.dmp

Filesize
956KB

Download
memory/2168-1-0x0000000000230000-0x000000000031F000-memory.dmp

Filesize
956KB

Download
memory/2168-2-0x0000000000520000-0x000000000060F000-memory.dmp

Filesize
956KB

Download
memory/2168-18-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download

Analysis

Sharing