0dc0b4487ba9fc73a5a69d8f8519d0d4fcd0b2038057c19932c523cdc70e9533

General

Target

378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe
Size

53KB
MD5

378f3d1b9ae41c7621f28c108a099a0e
SHA1

b8f2832b7770bfcf9b1de78dd32af4bac606c494
SHA256

0dc0b4487ba9fc73a5a69d8f8519d0d4fcd0b2038057c19932c523cdc70e9533
SHA512

53ca6358d60d92c519ed466fc208ae82da1078bb181d636631d401ae92d1bc5e49f9631baea61cd4e3b7c35069d3dbad7abd0cdbe0875a84c1be07522eca0bbe
SSDEEP

768:Te3PFaDVyOQgljLDKRJyM3BmsHzSB4us/wJJar6c5QhtY/++RRAVt0wBhUKFuP6p:S3cpyORJLuB4P4AJJS6mQXYD8d8Ki6p

Score

10^/10

aspackv2 discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Windows\\system32\\360WDtray.exe"	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000015e8f-21.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
1996	Au_.exe

Executes dropped EXE 3 IoCs

pid	Process
1900	uninst.exe
2456	360WDtray.exe
1996	Au_.exe

Loads dropped DLL 15 IoCs

pid	Process
1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe
1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe
1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe
1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe
1900	uninst.exe
1900	uninst.exe
1900	uninst.exe
2456	360WDtray.exe
2456	360WDtray.exe
2456	360WDtray.exe
1900	uninst.exe
1900	uninst.exe
1996	Au_.exe
1996	Au_.exe
1996	Au_.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\360WDtray.exe	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360WDtray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016239-8.dat	nsis_installer_2

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2456	360WDtray.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1900	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	28
PID 1596 wrote to memory of 1900	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	28
PID 1596 wrote to memory of 1900	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	28
PID 1596 wrote to memory of 1900	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	28
PID 1596 wrote to memory of 1900	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	28
PID 1596 wrote to memory of 1900	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	28
PID 1596 wrote to memory of 1900	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	28
PID 1596 wrote to memory of 2456	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	29
PID 1596 wrote to memory of 2456	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	29
PID 1596 wrote to memory of 2456	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	29
PID 1596 wrote to memory of 2456	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	29
PID 1596 wrote to memory of 2456	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	29
PID 1596 wrote to memory of 2456	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	29
PID 1596 wrote to memory of 2456	1596	378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe	29
PID 1900 wrote to memory of 1996	1900	uninst.exe	30
PID 1900 wrote to memory of 1996	1900	uninst.exe	30
PID 1900 wrote to memory of 1996	1900	uninst.exe	30
PID 1900 wrote to memory of 1996	1900	uninst.exe	30
PID 1900 wrote to memory of 1996	1900	uninst.exe	30
PID 1900 wrote to memory of 1996	1900	uninst.exe	30
PID 1900 wrote to memory of 1996	1900	uninst.exe	30

C:\Users\Admin\AppData\Local\Temp\378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\378f3d1b9ae41c7621f28c108a099a0e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\uninst.exe
  "C:\Users\Admin\AppData\Local\Temp\uninst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1996
- C:\Windows\SysWOW64\360WDtray.exe
  "C:\Windows\system32\360WDtray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wuqiu.ini

Filesize
108B

MD5
3e4b1c9ecb00bdca9bce06e01ae16d05

SHA1
3a1fa17e609bc3242251bbd7fb0a38a1e83d621b

SHA256
41731af5351dc76601ef65768ce6f83e016a4e7f76769c02d9c97424d1c276df

SHA512
b59573ece13e62993fc428a315bffa767eac1ba97d3576afa4bf93bcfe698c03ddc33175a180b8a86e9ea7daefb6e4f90e86c24b7766212c1b1414d736229d7c

Download Submit
C:\Windows\SysWOW64\360WDtray.exe

Filesize
16KB

MD5
1a1e907715c2de89c80c59ed3c372df7

SHA1
6af0b227525d88f4a67768355a76379e6e82ae15

SHA256
9c690bd40dd6eb4cc9a306ab47ade5943ee1fd1bec8d7bc83fb1b059b03e9fa6

SHA512
af5e4d2d33198482204a3d1b0a4129e7b17ad4e64c16fb0544ff141ed5516539e537f433f1bdc673faf23dabb3492485ddadcb349fce014b3d8c8a00875895dc

Download Submit
\Users\Admin\AppData\Local\Temp\nsd958D.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
34KB

MD5
ddf10ed303b82ee362a6cee2b32d961a

SHA1
d3b711217fc3a43d831cf4ab3a5b5dad6b67094f

SHA256
19c418c345db35a2b26e7f329bd0734708631d61f4ad9dd39c23f87116d398d6

SHA512
d43b017b8a33e1524d54b637dc92cc7149f1035b9d9fc984d832ef95bacf3d0a54241639261f10e76b7d9cac63db14720407b013a53e7211028441cff31d85cb

Download Submit
memory/2456-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2456-33-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2456-32-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2456-31-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2456-53-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2456-61-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2456-62-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads