b8e1be767a20d97ae9bd59f4950db014b831760776b9fcf7ffef8334672b0a31

General

Target

0bba811ce9b52414956803eb3b7c847b_JaffaCakes118.exe
Size

1.1MB
MD5

0bba811ce9b52414956803eb3b7c847b
SHA1

8085493beb6afda8d8d8b9c03e2ba4784717db88
SHA256

b8e1be767a20d97ae9bd59f4950db014b831760776b9fcf7ffef8334672b0a31
SHA512

32d1a0d3a8c9f756c0f5bc9ff50c016b7c792824f81e2028f68e5f2730fd760a955e5d718ff199ce80fd3dbef7e944ef99dee72f86f8766c1d09363b7aba6144
SSDEEP

24576:ahDDCEHW6yuyHnHOqk0Sc9KBhfaQdBlxrz9p0oSIyXA/aW6:+DCiWLHnHOZc9Xelposmb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3560	applogon.scr
1004	services
2908	service
4636	jqs

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftWinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\applogon.txt	0bba811ce9b52414956803eb3b7c847b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\applogon.scr	0bba811ce9b52414956803eb3b7c847b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\applogondrv.dll	0bba811ce9b52414956803eb3b7c847b_JaffaCakes118.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234d2-6.dat	upx
behavioral2/memory/3560-8-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/1004-15-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/3560-21-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-31.dat	upx
behavioral2/memory/4636-33-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/1004-34-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/1004-36-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/4636-40-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4636-41-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/1004-42-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/1004-45-0x0000000000400000-0x00000000005F7000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\102202451348.exe	applogon.scr

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bba811ce9b52414956803eb3b7c847b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	applogon.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jqs

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4600	reg.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4636	jqs
2908	service
1004	services

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2908	service
2908	service

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 180 wrote to memory of 3560	180	0bba811ce9b52414956803eb3b7c847b_JaffaCakes118.exe	82
PID 180 wrote to memory of 3560	180	0bba811ce9b52414956803eb3b7c847b_JaffaCakes118.exe	82
PID 180 wrote to memory of 3560	180	0bba811ce9b52414956803eb3b7c847b_JaffaCakes118.exe	82
PID 3560 wrote to memory of 4600	3560	applogon.scr	83
PID 3560 wrote to memory of 4600	3560	applogon.scr	83
PID 3560 wrote to memory of 4600	3560	applogon.scr	83
PID 3560 wrote to memory of 1004	3560	applogon.scr	84
PID 3560 wrote to memory of 1004	3560	applogon.scr	84
PID 3560 wrote to memory of 1004	3560	applogon.scr	84
PID 1004 wrote to memory of 2908	1004	services	86
PID 1004 wrote to memory of 2908	1004	services	86
PID 1004 wrote to memory of 2908	1004	services	86
PID 1004 wrote to memory of 4636	1004	services	87
PID 1004 wrote to memory of 4636	1004	services	87
PID 1004 wrote to memory of 4636	1004	services	87

C:\Users\Admin\AppData\Local\Temp\0bba811ce9b52414956803eb3b7c847b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bba811ce9b52414956803eb3b7c847b_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:180
- C:\Windows\SysWOW64\applogon.scr
  C:\Windows\system32\applogon.scr
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v MicrosoftWinUpdate /d C:\Users\Admin\AppData\Roaming\spoolsv.exe /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4600
- - C:\Users\Admin\AppData\Local\Temp\services
    C:\Users\Admin\AppData\Local\Temp\services
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\service
      C:\Users\Admin\AppData\Local\Temp\service
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\jqs
      C:\Users\Admin\AppData\Local\Temp\jqs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jqs

Filesize
234KB

MD5
176055ddb85b68a7e82261983eeb2be3

SHA1
71d746a26e71a7cd27889236fe10272adca71470

SHA256
0cf964d42c0f1abb67e03811dd7c8bfab0f9749d54184d0007f83405df90802b

SHA512
b5de9443f0276b132896aebbd5dfa4d2c94c4be11924e57cf5131cd2f60d08ecc792ad6112b71b7f8339de830ed75c3d6d5b62705d4f743c1b3db1b667905669

Download Submit
C:\Users\Admin\AppData\Local\Temp\service

Filesize
842KB

MD5
8073da5a6e5d0b3d83a88b928479ac11

SHA1
30fc7de83a475818ae310735dfeb627b9c225920

SHA256
5d2bd180da2f7dc01c9fd51e658910fc9d6cbf193df9be7a3662fd547c0d6169

SHA512
ff75aa9f3a6df7e7bfe61ddf5612e987bcd988a27f086d02cc016a68863933dbaecf64ddc0ae5674805b8ed4c7b789b678b266c5b553eff170b282e0b7ae9c6c

Download Submit
C:\Windows\SysWOW64\applogon.scr

Filesize
1018KB

MD5
db2c362313e65d352caf4e73b8334c9f

SHA1
b8e60cf8d0636f5dd064c92652744652ac0922b4

SHA256
bf932af0360318f3f71f33c440960cc105b197134cd5ea95b0668bb596f9df6d

SHA512
69c042142e9f59e5fbc3e614b8eafc3f335ae9903dbfedfc050452eb86e840a35afb53688b0d11db92b81f0bbd5934f5b84dea3a430656cf2ec627cadc4680fa

Download Submit
memory/180-16-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1004-34-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1004-45-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1004-42-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1004-15-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1004-17-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1004-36-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1004-35-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2908-38-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2908-29-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2908-39-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3560-21-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/3560-9-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3560-8-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/4636-33-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4636-40-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4636-41-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads