e4aa0039b7622eb744640ae6a455ce148e80d3f118a14d36770188fb45e0d0bb

General

Target

fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe
Size

829KB
MD5

fea8413f96f282fc546e317223fb1670
SHA1

2478d6b1903c7de9e6ccab849c26122a754751c5
SHA256

e4aa0039b7622eb744640ae6a455ce148e80d3f118a14d36770188fb45e0d0bb
SHA512

cf7b0806ebb7c250bcb0015f35728c33b7b730b326989c2cad30d42206bbde685036df379a8c5a79d90b93396ec964e6aa46656e179d189bb114d12cd187576c
SSDEEP

24576:CkwREZwvBvd5I/Htz+cn3t7mHvDaQbsDWU4:Czcwvd5Ivtacn3t7muhWf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3288	HelpMe.exe
2184	mssrs32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine	fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssrs32 = "C:\\Windows\\mssrs32.exe"	mssrs32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2612	fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kmssx32.dll	HelpMe.exe
File opened for modification	C:\Windows\mssrs32.exe	HelpMe.exe
File opened for modification	C:\Windows\KBBA35E28089.log	HelpMe.exe
File opened for modification	C:\Windows\kmsjsx32.sys	mssrs32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssrs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe
2612	fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2184	mssrs32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	mssrs32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2612	fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe
3288	HelpMe.exe
3288	HelpMe.exe
2184	mssrs32.exe
2184	mssrs32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 3288	2612	fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe	82
PID 2612 wrote to memory of 3288	2612	fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe	82
PID 2612 wrote to memory of 3288	2612	fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe	82
PID 3288 wrote to memory of 2184	3288	HelpMe.exe	83
PID 3288 wrote to memory of 2184	3288	HelpMe.exe	83
PID 3288 wrote to memory of 2184	3288	HelpMe.exe	83

C:\Users\Admin\AppData\Local\Temp\fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fea8413f96f282fc546e317223fb1670_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\mssrs32.exe
    C:\Windows\mssrs32.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\HelpMe.exe

Filesize
145KB

MD5
da1ca04477f6d144170c01e9aed6e9bc

SHA1
0aeaf99393ce0f147e852743e03753ba0bc7910a

SHA256
cfd15ec9a7679272c40556f73be00e6a3903874ab9081b818ab147b7541fac7c

SHA512
bd1ae55c72161af22459343536efdcd671b39c6d1c831669932165df62428afacb3d6da25c5dbb8e6a3f7c18106042f8a51c1d6123ae086ff23dd3cf13363f17

Download Submit
C:\Windows\kmssx32.dll

Filesize
1KB

MD5
3c141271e1570321487614aab7e27ff5

SHA1
553c0b22c74aaad00a67b2b691b254baf1406f2d

SHA256
5d3803756784aa16a4962fedcc11547485768e1bd7f59fa2af1838d844c32c6e

SHA512
fcef3e13a1a08592cce7ef22c6bfc11887c03932cbfffa11caf547b376a7d6666c85cb7cd43c4653333c1e834c7b2b35e3b1ee3f2378e1ab8b4c0a74470292f7

Download Submit
memory/2184-34-0x0000000000400000-0x0000000000426BA8-memory.dmp

Filesize
154KB

Download
memory/2612-6-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2612-5-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2612-10-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2612-9-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2612-0-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2612-4-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2612-32-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2612-1-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/3288-15-0x0000000000400000-0x0000000000426BA8-memory.dmp

Filesize
154KB

Download
memory/3288-33-0x0000000000400000-0x0000000000426BA8-memory.dmp

Filesize
154KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads