5308ade8b3627cbb184fc6ee70b2345cbdadc1afa8255fdca6a5db8ced6cb8ed

General

Target

2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe
Size

798KB
MD5

2fb7b36bfb47a05d3550e8912c852ab1
SHA1

0d4766cdd191cf22111f1bdaa610e50b6613c467
SHA256

5308ade8b3627cbb184fc6ee70b2345cbdadc1afa8255fdca6a5db8ced6cb8ed
SHA512

17fd5017bb3e76c1437a1483dc18857f0700f23070c928e9cec270094b75682abdf2717759c9559e63de5da8697d5009f6c40d1727380ff09597c710e98d85ac
SSDEEP

6144:wD7GsXs2/RMeHZ9Vkjs7VZpylwYdGKgODMPaU8oS:cxsjswwVK14IoS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2728	svchost.exe
524	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe
2700	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service Host = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2728 set thread context of 524	2728	svchost.exe	35

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2316-35-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/files/0x0007000000018731-39.dat	upx
behavioral1/memory/2728-82-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe
2728	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2700	2316	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2728	2700	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	33
PID 2700 wrote to memory of 2728	2700	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	33
PID 2700 wrote to memory of 2728	2700	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	33
PID 2700 wrote to memory of 2728	2700	2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe	33
PID 2728 wrote to memory of 524	2728	svchost.exe	35
PID 2728 wrote to memory of 524	2728	svchost.exe	35
PID 2728 wrote to memory of 524	2728	svchost.exe	35
PID 2728 wrote to memory of 524	2728	svchost.exe	35
PID 2728 wrote to memory of 524	2728	svchost.exe	35
PID 2728 wrote to memory of 524	2728	svchost.exe	35
PID 2728 wrote to memory of 524	2728	svchost.exe	35
PID 2728 wrote to memory of 524	2728	svchost.exe	35
PID 2728 wrote to memory of 524	2728	svchost.exe	35
PID 2728 wrote to memory of 524	2728	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2fb7b36bfb47a05d3550e8912c852ab1_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe [NEW]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
d4a12f78da45284fb3aae03da640ccba

SHA1
b249a7866b44db669e8f0b1fdc4e0069e3037e43

SHA256
fbee27a460a30e49e932cda67f938c1b1fb23bf49bd91bfed7e7e4388980e79a

SHA512
ffb410a3b90631e51bfbad591d21fdae22f514f46d47cf0f46fb3ccd7dbf837c293a5d7f92b8acda6594235813e8eb08052e3a5ba7426ad6b21d3da0f0c770b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_E7AFBAB1045CF53D322BC26D3E9BEB05

Filesize
471B

MD5
210afb2776c3150c6fe61cac708ddc7e

SHA1
5e9d423e09aee4883a3ff962025c4b59f79c3003

SHA256
25969228d4e7a86f0c07d89cb8e5b0bbc13b41a317cccfca08b522d9b98908ca

SHA512
e8583e29fc79e05c68807c4654b8066dbca94c3eb97bfc2b8c6c89a506a9e3c735aa34d55f037947331dad4bf5d714a402fd05cb6a99b7bfcd070f3f3f941862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
1b366bcf53949a308c7a46bb3fc5046b

SHA1
42692ca352474de961c381b8a0086d6b3c4ae22a

SHA256
f8797e7170d2872ce2c4d001f225b87e5f06b976d3362991384dbc1510ba2934

SHA512
e2597888c1882538ccfd8f3e67be2eda39957da55ac7f11fb52f3f5f775231903aef97318d30d5d531d5ad20771d5624981897111141ff7d9560d8a27372a23c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_E7AFBAB1045CF53D322BC26D3E9BEB05

Filesize
396B

MD5
363c4f0e4de23c0752ebf94e593d3942

SHA1
fdf2e9e81fa569111492a133509f0818ee5115d7

SHA256
8dc6901f1013722d23372fe79dab671fb6e18187c186290f145304989374e803

SHA512
2b8f9116be2091b1146681bed2465488f2769cd457e8f9e501091b66f2c6afb1d3c55f821c0a509bd319c8fee2c5cf525de427e1a483f07252106f80a04142c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8A8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMwkG.exe

Filesize
1KB

MD5
9b6419564e2517bca5c02656ee34428a

SHA1
82fa924ab283fdced730a5a01980bc16038a4ebc

SHA256
7c3062f4433da04b86fb2a95156b3598d5e9e030494f9956755dcff563579a4a

SHA512
5d95f22c06e9685f3728cad4aec555c002e5ccffb9bead9930b77f852c996c2eb97f33f569950271393fdadb2e84e469ccf995e4743b0d5f6512741be9c2366b

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
798KB

MD5
2fb7b36bfb47a05d3550e8912c852ab1

SHA1
0d4766cdd191cf22111f1bdaa610e50b6613c467

SHA256
5308ade8b3627cbb184fc6ee70b2345cbdadc1afa8255fdca6a5db8ced6cb8ed

SHA512
17fd5017bb3e76c1437a1483dc18857f0700f23070c928e9cec270094b75682abdf2717759c9559e63de5da8697d5009f6c40d1727380ff09597c710e98d85ac

Download Submit
memory/524-84-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/524-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/524-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2316-35-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2316-19-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2316-0-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2700-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-45-0x0000000000980000-0x0000000000A49000-memory.dmp

Filesize
804KB

Download
memory/2700-47-0x0000000000420000-0x00000000005A1000-memory.dmp

Filesize
1.5MB

Download
memory/2700-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2700-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2700-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2700-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2700-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2700-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2700-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2700-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-82-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads