79570fdec74de86c42b4e3f5f068e9b11713fc4a7767b3e0749a338246a61560

General

Target

02122951aa7847cb407462539f3a81dd_JaffaCakes118.exe
Size

158KB
MD5

02122951aa7847cb407462539f3a81dd
SHA1

d3f1cb290e0040eb55f6c1d9c62e9200577c03bb
SHA256

79570fdec74de86c42b4e3f5f068e9b11713fc4a7767b3e0749a338246a61560
SHA512

0eb7297e1c414ba3ed006d6a3f68b9be65f20364e0835e9869147932b6c48f914c3440f50de2b4b7e9585de4cb93be193ee36b6988b544b6a9740bfd0ee4430d
SSDEEP

3072:IzW+DiW9iLo+GnHv5uBagqRBINsDoAkU9xm2cxmf+:LKELo72HiYsDoAkUDm2W

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3488	server.exe
1000	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	02122951aa7847cb407462539f3a81dd_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 1000	3488	server.exe	83
PID 3488 set thread context of 0	3488	server.exe
PID 3488 set thread context of 0	3488	server.exe
PID 3488 set thread context of 0	3488	server.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3488-4-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/files/0x00090000000234be-3.dat	upx
behavioral2/memory/3488-15-0x0000000000400000-0x0000000000438000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02122951aa7847cb407462539f3a81dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1000	server.exe
1000	server.exe
1000	server.exe
1000	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3488	server.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3488	1792	02122951aa7847cb407462539f3a81dd_JaffaCakes118.exe	82
PID 1792 wrote to memory of 3488	1792	02122951aa7847cb407462539f3a81dd_JaffaCakes118.exe	82
PID 1792 wrote to memory of 3488	1792	02122951aa7847cb407462539f3a81dd_JaffaCakes118.exe	82
PID 3488 wrote to memory of 1000	3488	server.exe	83
PID 3488 wrote to memory of 1000	3488	server.exe	83
PID 3488 wrote to memory of 1000	3488	server.exe	83
PID 3488 wrote to memory of 1000	3488	server.exe	83
PID 3488 wrote to memory of 1000	3488	server.exe	83
PID 3488 wrote to memory of 1000	3488	server.exe	83
PID 3488 wrote to memory of 1000	3488	server.exe	83
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 3488 wrote to memory of 0	3488	server.exe
PID 1000 wrote to memory of 3608	1000	server.exe	56
PID 1000 wrote to memory of 3608	1000	server.exe	56
PID 1000 wrote to memory of 3608	1000	server.exe	56
PID 1000 wrote to memory of 3608	1000	server.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\02122951aa7847cb407462539f3a81dd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\02122951aa7847cb407462539f3a81dd_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
100KB

MD5
9f71dc9dc11fbb26454dd27a9777bf66

SHA1
dc0c1453d23998d645ab76f2f764fcb2287e0b72

SHA256
a25fc90f65dc7e9389bc15545445b36180106d0e0253f3b71dd0add9d63dc3c3

SHA512
5607f938deb99e57392be2effe68fec3e2df9a7f3d211330b0e17b15f886a1eee7af7605908363e5b76df1155f668b33a930435b1d1c7e19c288a4791f58e644

Download Submit
memory/1000-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1000-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1000-12-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/1000-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3488-4-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3488-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3608-16-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3608-17-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads