61ed0c6cdedb33788e863ceddfebd9c0108966d99991bf805563b6887791a9be

General

Target

304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
Size

2.3MB
MD5

304fc9cfd9ec40892dde1bd9b4b14ff9
SHA1

4f4f56e7094e9f902cd7e84bb3eed8a61deaf10f
SHA256

61ed0c6cdedb33788e863ceddfebd9c0108966d99991bf805563b6887791a9be
SHA512

6d0a722c30bc75e74101372e4bce83be87d680e7bd154d3a973fc380f20fee234927688583c85db28d4a88acfa1382679287978021ce8e1b4bde20d4ea5186f3
SSDEEP

49152:qeV2kAH8thkEwqiYprcPB394oieUF1mJiQ4ZNC24cEfzEK5:qg2xIY68dviHTmJiQ4nB4cEbEK5

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000120fb-2.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
336	cscript.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1504-1-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1064-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1080-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1083-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1085-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1087-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1089-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1091-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1093-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1095-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1097-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1099-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1101-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1103-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1105-0x0000000000400000-0x0000000000A08000-memory.dmp	upx
behavioral1/memory/1504-1107-0x0000000000400000-0x0000000000A08000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 336	1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe	30
PID 1504 wrote to memory of 336	1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe	30
PID 1504 wrote to memory of 336	1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe	30
PID 1504 wrote to memory of 336	1504	304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\304fc9cfd9ec40892dde1bd9b4b14ff9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Language\Default.ini

Filesize
13KB

MD5
d5f25183026b3016fda7f529b33ca475

SHA1
ac61e8990087ef09d4917c467f3f0b2320f660a3

SHA256
de88dfeb0246c7ea5c0ba7d60f1a272ab33f641cc9a171e16305a94f0c2917c8

SHA512
7c416980f14ce4d8775f589fe28a78bb49d93cc3edf693e00971fa3463fc1e73be7ac8253caf4fd7cf6df32ba063e9e4fd84eb891b3953c86b40dc60b0a5c5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Settings\Settings.ini

Filesize
1KB

MD5
3cce2b24f01e0f2b4644ea35f789f2c9

SHA1
c62d3c90c032298433b1b9c1af6c587a81abf512

SHA256
da343b5dc4525433db3605730ccce6e926701b845f914bd6826dd87552cb1c7c

SHA512
0a183025e6d45229d0ff670b84956a0494d839378444fc0ade38e141ebb5fd63f2f6401ab21236f4c22acfbd5c1afca800633937a8046ac244835d7f16a7a72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.vbs

Filesize
841B

MD5
615964e5ab63a70f0e205a476c48e356

SHA1
292620321db69d57ba23fa98d2a89484ddcf83d0

SHA256
38a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102

SHA512
69886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc

Download Submit
\Users\Admin\AppData\Local\Temp\aal703.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/336-1062-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/336-1058-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1504-1080-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1087-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1064-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1082-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1504-4-0x00000000002E0000-0x0000000000353000-memory.dmp

Filesize
460KB

Download
memory/1504-1081-0x00000000002E0000-0x0000000000353000-memory.dmp

Filesize
460KB

Download
memory/1504-1083-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1085-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-5-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1504-1089-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1091-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1093-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1095-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1097-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1099-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1101-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1103-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1105-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/1504-1107-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing