ea83e0fba686de3d72c6cb003eae4b1c44b7ad6d1b6584d52a91719f9a14615b

General

Target

03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
Size

300KB
MD5

03b7fa50f416ae09412627c0bbb99ad1
SHA1

d4d907f89806dcbd104f2e167dcc69e1e54a12e6
SHA256

ea83e0fba686de3d72c6cb003eae4b1c44b7ad6d1b6584d52a91719f9a14615b
SHA512

940d8d4446e568b0b4c8b08c3a8e2045f3104c9fb09dd095b9bb4222808ca5a4eea95a9822a3763ed474f2c4d1a1816253d893443a79976bdd3ab1a62df10bfa
SSDEEP

6144:KAJS1s34ZRO8+8pM9IE0BRqDZRDpcbveFQRPZa8t4CAjBjuFzb2SeNU4G:nS1sIZcYpqWqDZ5TQRc+A1jSb2SsB

Score

8^/10

discovery persistence vmprotect

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NPKEventRemoteLog\Parameters\ServiceDll = "C:\\Windows\\system32\\npkcoree.dll"	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
3504	svchost.exe

Unexpected DNS network traffic destination 20 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	203.240.193.11
Destination IP	203.240.193.11
Destination IP	67.43.161.211
Destination IP	67.43.173.7
Destination IP	67.43.161.221
Destination IP	202.30.143.11
Destination IP	72.34.255.211
Destination IP	67.43.161.211
Destination IP	67.43.173.8
Destination IP	203.240.193.11
Destination IP	67.43.161.221
Destination IP	202.30.143.11
Destination IP	67.43.173.7
Destination IP	72.34.255.211
Destination IP	67.43.161.221
Destination IP	203.240.193.11
Destination IP	202.30.143.11
Destination IP	67.43.161.221
Destination IP	67.43.173.8
Destination IP	202.30.143.11

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3504-30-0x0000000001760000-0x0000000001777000-memory.dmp	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\npkcoree.dll	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\npkcoree.dll	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3464	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
3464	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
3504	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3464	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
Token: SeDebugPrivilege	3464	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
Token: SeDebugPrivilege	3464	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
Token: SeDebugPrivilege	3464	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 1036	3464	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe	83
PID 3464 wrote to memory of 1036	3464	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe	83
PID 3464 wrote to memory of 1036	3464	03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03b7fa50f416ae09412627c0bbb99ad1_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\240630906.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240630906.bat

Filesize
266B

MD5
64cb794c271aaa51325afcb762011359

SHA1
b617055280cf029750db7b0131b0f974d8436211

SHA256
6654096b7dc1687d7f1a56d65f3f785456b865993885b9fae0903cc48174cd2e

SHA512
225eebe13214ed0ec502d5d4bcc98809d802a53c38a41a62cf6e0194d0c76e627c0e79045e9321f9fd17795b43a551585e97e05f747e5719eedcdd1b4ab8b15b

Download Submit
C:\Windows\SysWOW64\npkcoree.dll

Filesize
216KB

MD5
7503c4ee6491e7a12d92ced26e568fe7

SHA1
f10749ef3a2e97fc77289b28f876dad687224907

SHA256
af4e15330d1ab1b871b98960733b5eb78356510118d5698ad9beb55efaa8d76a

SHA512
639a67ad5abcc60fb515868788b8c350c6928a4d57bd3d6c9daa5ed10d2b6ad086a6f599a22e71842db7f99a21fd36e11ce5481851ebae5cc4d23664ef0f2376

Download Submit
memory/3464-14-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/3464-0-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3464-10-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/3464-19-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/3464-4-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/3464-25-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/3464-24-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3464-1-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3504-29-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/3504-26-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/3504-30-0x0000000001760000-0x0000000001777000-memory.dmp

Filesize
92KB

Download
memory/3504-56-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/3504-54-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing