ea83e0fba686de3d72c6cb003eae4b1c44b7ad6d1b6584d52a91719f9a14615b

General

Target

03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
Size

300KB
MD5

03b7fa50f416ae09412627c0bbb99ad1
SHA1

d4d907f89806dcbd104f2e167dcc69e1e54a12e6
SHA256

ea83e0fba686de3d72c6cb003eae4b1c44b7ad6d1b6584d52a91719f9a14615b
SHA512

940d8d4446e568b0b4c8b08c3a8e2045f3104c9fb09dd095b9bb4222808ca5a4eea95a9822a3763ed474f2c4d1a1816253d893443a79976bdd3ab1a62df10bfa
SSDEEP

6144:KAJS1s34ZRO8+8pM9IE0BRqDZRDpcbveFQRPZa8t4CAjBjuFzb2SeNU4G:nS1sIZcYpqWqDZ5TQRc+A1jSb2SsB

Score

8^/10

discovery persistence vmprotect

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\EventNvidaLog\Parameters\ServiceDll = "C:\\Windows\\system32\\npkcore2.dll"	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
864	svchost.exe

Unexpected DNS network traffic destination 16 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	202.30.143.11
Destination IP	202.30.143.11
Destination IP	67.43.161.211
Destination IP	67.43.161.221
Destination IP	67.43.173.8
Destination IP	67.43.161.221
Destination IP	203.240.193.11
Destination IP	202.30.143.11
Destination IP	203.240.193.11
Destination IP	203.240.193.11
Destination IP	67.43.161.211
Destination IP	67.43.173.8
Destination IP	67.43.173.7
Destination IP	67.43.173.7
Destination IP	67.43.161.221
Destination IP	72.34.255.211

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/864-35-0x0000000000240000-0x0000000000257000-memory.dmp	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\npkcore2.dll	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\npkcore2.dll	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1804	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
1804	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
864	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1804	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
Token: SeDebugPrivilege	1804	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
Token: SeDebugPrivilege	1804	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
Token: SeDebugPrivilege	1804	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2688	1804	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe	31
PID 1804 wrote to memory of 2688	1804	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe	31
PID 1804 wrote to memory of 2688	1804	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe	31
PID 1804 wrote to memory of 2688	1804	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\259429818.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259429818.bat

Filesize
266B

MD5
4fff36f7e76d1b05e3bf48c1471b9adb

SHA1
b88755b87d3e3ef00fac35bab2cb1be63eb0a099

SHA256
10e229a99384d325f7f6ffd165688b06c7b12c3b987dcead5ab220f319d6cf3f

SHA512
d2d08ed000edc0e9bc1272c9b024624ee5b16fbd57b4bc0fbc899787fbecf52c9c7dac192d2ff38ac65fe6fbdfc0e4468985e2a1e4588fbc4363d2c1e54726bf

Download Submit
\Windows\SysWOW64\npkcore2.dll

Filesize
216KB

MD5
7503c4ee6491e7a12d92ced26e568fe7

SHA1
f10749ef3a2e97fc77289b28f876dad687224907

SHA256
af4e15330d1ab1b871b98960733b5eb78356510118d5698ad9beb55efaa8d76a

SHA512
639a67ad5abcc60fb515868788b8c350c6928a4d57bd3d6c9daa5ed10d2b6ad086a6f599a22e71842db7f99a21fd36e11ce5481851ebae5cc4d23664ef0f2376

Download Submit
memory/864-35-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/864-46-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/864-48-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/864-60-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/864-32-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/864-31-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1804-10-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1804-29-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1804-30-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1804-4-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1804-0-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1804-14-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1804-15-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1804-1-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing