de023fe465eb46b1aad113ca75e1a74d5748ac1880bbdda99744d77f08c69e7a

General

Target

02ca4350349c0c082d3918818c523241_JaffaCakes118.exe
Size

1008KB
MD5

02ca4350349c0c082d3918818c523241
SHA1

b61d8872de4c7efccee934a69b3bd04f585c1726
SHA256

de023fe465eb46b1aad113ca75e1a74d5748ac1880bbdda99744d77f08c69e7a
SHA512

cafbb6ed7bdd82016e4e0a11b34a5811ce4accd3e518d934c43ac1abc4e4f0adc436b1862842d071943961744dbfa67f5d89f422c58ce2bb29b3bf87ba3ffa2e
SSDEEP

24576:MWmJDFpt+qfCdniPq6g5Ftds5aj/1brvXmk0u5Cw2jn4iDO3QC:MvJt+qKdni01ds5aj/1fXMuhkn4iDOz

Score

9^/10

aspackv2 discovery persistence upx

Malware Config

Signatures

Detected Nirsoft tools 13 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3500-46-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-48-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-49-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-50-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-51-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-54-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-55-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-56-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-57-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-58-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-59-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-60-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft
behavioral2/memory/3500-61-0x0000000000400000-0x00000000004F9000-memory.dmp	Nirsoft

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023456-17.dat	aspack_v212_v242
behavioral2/files/0x0007000000023456-32.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	02ca4350349c0c082d3918818c523241_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	SERVER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 2 IoCs

pid	Process
2456	SERVER.EXE
3500	winlogon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "\\windows\\winlogon.exe"	SERVER.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023454-5.dat	upx
behavioral2/memory/2456-9-0x0000000000400000-0x00000000004F3000-memory.dmp	upx
behavioral2/memory/2456-41-0x0000000000400000-0x00000000004F3000-memory.dmp	upx

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\windows\winlogon.exe	SERVER.EXE
File opened for modification	C:\windows\winlogon.exe	SERVER.EXE
File created	C:\windows\services.ini	SERVER.EXE
File opened for modification	C:\windows\services.ini	SERVER.EXE
File opened for modification	C:\Windows\winlogon.exe	winlogon.exe
File created	C:\Windows\openssl.cnf	winlogon.exe
File created	C:\windows\Amcam13.ini	SERVER.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02ca4350349c0c082d3918818c523241_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe
3500	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2456	4504	02ca4350349c0c082d3918818c523241_JaffaCakes118.exe	82
PID 4504 wrote to memory of 2456	4504	02ca4350349c0c082d3918818c523241_JaffaCakes118.exe	82
PID 4504 wrote to memory of 2456	4504	02ca4350349c0c082d3918818c523241_JaffaCakes118.exe	82
PID 2456 wrote to memory of 3500	2456	SERVER.EXE	83
PID 2456 wrote to memory of 3500	2456	SERVER.EXE	83
PID 2456 wrote to memory of 3500	2456	SERVER.EXE	83
PID 3500 wrote to memory of 3576	3500	winlogon.exe	84
PID 3500 wrote to memory of 3576	3500	winlogon.exe	84
PID 3500 wrote to memory of 3576	3500	winlogon.exe	84
PID 3576 wrote to memory of 440	3576	net.exe	86
PID 3576 wrote to memory of 440	3576	net.exe	86
PID 3576 wrote to memory of 440	3576	net.exe	86

C:\Users\Admin\AppData\Local\Temp\02ca4350349c0c082d3918818c523241_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02ca4350349c0c082d3918818c523241_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\winlogon.exe
    "C:\Windows\winlogon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop sharedaccess
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Share Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

Filesize
642KB

MD5
c079ab30a028980c047441e31ca50e50

SHA1
f7f4cd835b062ea8534756724dc0d16a5024bfa7

SHA256
b4a20f2acf346ea17b94b521df6011b89d8f2b850108774c062c00741925d7f4

SHA512
92d484cd0a28b8095132f6a9b91b62c458e97a00c0bde0898bc10f454558f9b1cb05a51b3f39d50b209480b177013f7682a6b005462b688535f1dccfe2656c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\services.ini

Filesize
69B

MD5
739d262298ae5fe66a304cfed1ab6e1c

SHA1
ec7d8510a5e658cd313d2ce7c85092b4ef636093

SHA256
dd75e51ad1765893bceae6fbbac4a1b93d5c32fe4f28494af7204f7a35562561

SHA512
c8adb13abc25c2b3c47abefc05a3251c0f0f6062b98009c543eeaa2e2c5d1b64a9a6bbc68cdab50c2fcf25b523262b67b8108cdc520ead265fe493a8caae7a7c

Download Submit
C:\Windows\amcam13.ini

Filesize
14B

MD5
d2913e63cdf78b4877cac514721e0945

SHA1
5d69005c29050e81e18ba3ec3f40223b06f1b347

SHA256
fc6247867f64d24c4106d75a093d56fde91a2470c05c2c3c6a0f4c8f354d5480

SHA512
510e6821579d3e33dc987f61aa0c469bb668771ae48cc1db23bd29b9e458c20680e87fc168b61da0430efdabcc9ba7a50551cf02e54a41362ff2b726db237e82

Download Submit
C:\Windows\winlogon.exe

Filesize
416KB

MD5
68e0699510c0b29cfa0e6a3da16f3cae

SHA1
ce6d3ba98368d0a03e871595b84d9cca165db6a6

SHA256
b7d62d59e1ece39d6b4876fbf73dad816be78f1cfd0ef3e9280eef0f4a55337f

SHA512
6497ae888aa59049887e131eb1e3290aa73f1e40d5d314dcd451bdb567615562286dc3e5cfb4bc0e8db1502e0904f4b3a434333aae729b650cc4fa4e3f8c70a7

Download Submit
C:\Windows\winlogon.exe

Filesize
416KB

MD5
5742862edc6fddd3f51bf9d07c8d7aba

SHA1
37c19e4bb41c9aafd6a00ee7b59b7b3139c74215

SHA256
8f4e254705cd38f642fa9003ab2c93cd2c595f74361e8de02f322242d849de72

SHA512
db6d7ee5a770a3e178c7c65ab47a4940db1ad2c3b3991476d08beef68a550900ce630ff2f4df99165fa81763d631e4864029f24bcd115f1fd8350e6dcb5dcc3f

Download Submit
memory/2456-41-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2456-9-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2456-11-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3500-46-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-54-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-37-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-47-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3500-61-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-48-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-49-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-50-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-51-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-42-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3500-55-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-56-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-57-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-58-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-59-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3500-60-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4504-10-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads