01b016405ff19829bd52e4ca9892a946e515095ce03d8fddb71e0cdad8c34d13

General

Target

2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe
Size

723KB
MD5

2749759db005d1146d1fbf99cde4700e
SHA1

557e31009e878e1fb4a8920b464daa18ebca484e
SHA256

01b016405ff19829bd52e4ca9892a946e515095ce03d8fddb71e0cdad8c34d13
SHA512

77f88791eb9b0053ae0e487526342efce8dd32c957243933fe2decbeb6cd7191bb72df8442d39abd1e3fcb4029b279e8cd286e2ab052cf25c6f09883a7ab57c1
SSDEEP

12288:XvrY5JS2WIATTJUNPxxc2QNTv7IozPkJMeb+kUSQIqhXuND7Zl20suy3HVeUKqJg:XvU5JS2eTTJUi2QJ7rTkJMG+zSQR4ND3

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000173de-4.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2224	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	Yiesrzucs.exe

Loads dropped DLL 6 IoCs

pid	Process
1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe
1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe
1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe
2904	Yiesrzucs.exe
2904	Yiesrzucs.exe
1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Yiesrzucs.exe	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Yiesrzucs.dll	Yiesrzucs.exe
File opened for modification	C:\Windows\SysWOW64\Yiesrzucs.dll	Yiesrzucs.exe
File created	C:\Windows\SysWOW64\Yiesrzucs.exe	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000173de-4.dat	upx
behavioral1/memory/1280-6-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral1/memory/2904-28-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral1/memory/1280-59-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral1/memory/2904-56-0x0000000010000000-0x0000000010128000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\542c74471fd58e1c01e4057d05a2eb49.dat	Yiesrzucs.exe
File opened for modification	C:\Windows\Fonts\542c74471fd58e1c01e4057d05a2eb49.dat	Yiesrzucs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yiesrzucs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2904	Yiesrzucs.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe
2904	Yiesrzucs.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2904	1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe	31
PID 1280 wrote to memory of 2904	1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe	31
PID 1280 wrote to memory of 2904	1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe	31
PID 1280 wrote to memory of 2904	1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe	31
PID 2904 wrote to memory of 1188	2904	Yiesrzucs.exe	21
PID 1280 wrote to memory of 2224	1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe	32
PID 1280 wrote to memory of 2224	1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe	32
PID 1280 wrote to memory of 2224	1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe	32
PID 1280 wrote to memory of 2224	1280	2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\Yiesrzucs.exe
    C:\Windows\system32\Yiesrzucs.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""c:\2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe_And DeleteMe.bat""
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2749759db005d1146d1fbf99cde4700e_JaffaCakes118.exe_And DeleteMe.bat

Filesize
210B

MD5
d2eae0e5e00a65571074275be5697e8b

SHA1
5ba7070aab0fb43650a82f46427126d143268759

SHA256
c763becd467d5d9fbbab434bd424be5b22d2f9ad4d4ed4020bd2ab9808d545d9

SHA512
6f27b6eea1c34bfe3c93c5e4de38af3d7bd1a4947cb27b9210e6b71194810430ba29886278c5e498b1766c08ba8d5ff9000d978733fe2f1e7a2eff738b4b6d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
72KB

MD5
f79ee77a4f30401507e6f54a61598f58

SHA1
7f3ef4945f621ed2880ff5a10a126957b2011a17

SHA256
cf8e29720823eb114fbc3018569a7296ed3e6fcd6c4897f50c5c6e0e98d0b3f8

SHA512
26ccde784b06c46f60fb5a105c806c4d9dc1497fd79d39728fbcfa869d470ca2ba018b0665f3cbc05019fb0766dac2eb1084a6fdce2f9aaaae881beb09dd3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
407KB

MD5
783a2f0cc9d2c13f2cb980b5bd198005

SHA1
a1bafe779952f61946fe9003e48dddc65184c6da

SHA256
e21bf808a0f4c0d6e971267bb61cb00bd9acf45ddabd6db90f906ba064a3489f

SHA512
c35d6a39658722dc603e372c92ef18fe7700bfda435230cf5fc39c61c3044481a581cfe797c88fd131e6ecb5940ac31423b33b86b2d52e57df2a1c5669e2bbdc

Download Submit
\Windows\SysWOW64\Yiesrzucs.exe

Filesize
723KB

MD5
2749759db005d1146d1fbf99cde4700e

SHA1
557e31009e878e1fb4a8920b464daa18ebca484e

SHA256
01b016405ff19829bd52e4ca9892a946e515095ce03d8fddb71e0cdad8c34d13

SHA512
77f88791eb9b0053ae0e487526342efce8dd32c957243933fe2decbeb6cd7191bb72df8442d39abd1e3fcb4029b279e8cd286e2ab052cf25c6f09883a7ab57c1

Download Submit
memory/1188-42-0x0000000009960000-0x000000000D299000-memory.dmp

Filesize
57.2MB

Download
memory/1280-17-0x00000000003B0000-0x00000000003EB000-memory.dmp

Filesize
236KB

Download
memory/1280-3-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1280-16-0x00000000003B0000-0x00000000003EB000-memory.dmp

Filesize
236KB

Download
memory/1280-59-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/1280-6-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/1280-46-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/1280-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2904-18-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2904-32-0x00000000005B0000-0x00000000005CE000-memory.dmp

Filesize
120KB

Download
memory/2904-28-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/2904-49-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2904-56-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing