839f289337dbbcb572d6d6f215103465aa72c4ace65b826ca54a5dfbab024137

General

Target

ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe
Size

164KB
MD5

ff7696dfda0ccd0c88f5b9083f87f034
SHA1

0e5566e885b9f7a2a90dfa574f47fa6025a7d580
SHA256

839f289337dbbcb572d6d6f215103465aa72c4ace65b826ca54a5dfbab024137
SHA512

7032b6fd900f55a7351d9359d0e3912dd6ad2f50c72222208831cce8beb67d4ff5b3490072d0c5e58aca204dde87d6335671999b2857c128d23570508869d892
SSDEEP

3072:L1Z9EvxJHffkpWt8np0BaD3y2W95BOCPs1PV7d4u7+c36z7tX:eNKOqEbG1PV7vVM7tX

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\332ED\\0F354.exe"	ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/220-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3344-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3344-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3344-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/220-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/220-18-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4304-116-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/220-117-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/220-307-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3344	220	ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe	82
PID 220 wrote to memory of 3344	220	ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe	82
PID 220 wrote to memory of 3344	220	ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe	82
PID 220 wrote to memory of 4304	220	ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe	87
PID 220 wrote to memory of 4304	220	ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe	87
PID 220 wrote to memory of 4304	220	ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe startC:\Program Files (x86)\LP\5453\B33.exe%C:\Program Files (x86)\LP\5453
  2⤵
  PID:3344
- C:\Users\Admin\AppData\Local\Temp\ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ff7696dfda0ccd0c88f5b9083f87f034_JaffaCakes118.exe startC:\Program Files (x86)\ED982\lvvm.exe%C:\Program Files (x86)\ED982
  2⤵
  PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\332ED\D982.32E

Filesize
600B

MD5
ebdf11f24363c3d0fdd9f6f99ec14284

SHA1
a5489bdb492e3b0f6c1125a6d99a94b894e75b97

SHA256
9558ec3e2ad273cb43c25d2c65055eea434a49676f7c5b4f88c6973c4c26cd9c

SHA512
ac4e2dd89fe23da2f7b2c4ce91efb17fe476ab7734a639af9b193e4dd972f74a51ce27f6b55c077560ce52bfafea03d6020b9801a9c087e6e0ec4f099ffca90b

Download Submit
C:\Users\Admin\AppData\Roaming\332ED\D982.32E

Filesize
996B

MD5
593bc92ad828c4c1c478a7455a5e2aee

SHA1
226b35a5400ca1e32a5dee5ca65b1089c3a246fb

SHA256
9965a7c09e35af65a73746f357ff4f8cb68f1de85ec1d9621104df50a0ebbd01

SHA512
19c774d52ad6a593e3fb0d69b03de084f0200309ab699a5a4610c240a3dc807a4697da75b9edd20c8edd3980b3795765ac59d0c900a401e70b309cf4cfc633db

Download Submit
C:\Users\Admin\AppData\Roaming\332ED\D982.32E

Filesize
1KB

MD5
313e5a3330e5ca71806847f3c6f6bfe9

SHA1
ca1999a787c854177359944f464f17c0a15d09b9

SHA256
5c9cee4aff8bf5c28ff308ed989cf686b33ae4a897df7fb67be5e12a59aed03c

SHA512
2239de8f9889ccbd3913dbbbea0cb4c8e79a9cd97f309512f5078fb36d636021f690ed5a88e379af39c351216b785ff4bd60cd7c89aefa07d5426a54d4955640

Download Submit
memory/220-117-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/220-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/220-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/220-307-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/220-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/220-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/220-18-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3344-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3344-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3344-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4304-116-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads