d218ba00936dea02fd2161f899870997eb919b55621d9b88adf4f557f8c3023d

General

Target

3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe
Size

2.2MB
MD5

3d3d222c524386051a66e0e986f97d16
SHA1

f86b87d976aa9dec28b84eca3fc33350c07020ff
SHA256

d218ba00936dea02fd2161f899870997eb919b55621d9b88adf4f557f8c3023d
SHA512

eb9590b1d8554aa12dd14e2ca0faec9e3670cb6bdd6e0c118148463214a1d40b499b107dfffb49e1148ee0b16a4309411f7585f7d48045a066ad6b42577415f5
SSDEEP

49152:oUz0QnDZBtducPSxAWr7ksSp2WuhkTCzF3KcfMBVuRhTmt9bfm9t:z0QnFdhqtr7kBYkTCt3MBghTmt9be9t

Score

10^/10

aspackv2 discovery evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\regtoro.sys	3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/memory/4276-1-0x0000000000400000-0x00000000012D2000-memory.dmp	aspack_v212_v242

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\Tcp_IP.exe"	3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tcp_IP.exe	3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe
File opened for modification	C:\Windows\Tcp_IP.exe	3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4528	4276	WerFault.exe	83
2800	4276	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4076	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 1160	4276	3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe	89
PID 4276 wrote to memory of 1160	4276	3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe	89
PID 4276 wrote to memory of 1160	4276	3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe	89
PID 1160 wrote to memory of 4076	1160	cmd.exe	91
PID 1160 wrote to memory of 4076	1160	cmd.exe	91
PID 1160 wrote to memory of 4076	1160	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d3d222c524386051a66e0e986f97d16_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 384
  2⤵
  - Program crash
  PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 968
  2⤵
  - Program crash
  PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4276 -ip 4276
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4276 -ip 4276
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4276-1-0x0000000000400000-0x00000000012D2000-memory.dmp

Filesize
14.8MB

Download
memory/4276-2-0x0000000001440000-0x0000000001487000-memory.dmp

Filesize
284KB

Download
memory/4276-3-0x0000000000400000-0x00000000012D2000-memory.dmp

Filesize
14.8MB

Download
memory/4276-5-0x00000000033A0000-0x0000000003425000-memory.dmp

Filesize
532KB

Download
memory/4276-4-0x00000000013D0000-0x00000000013DE000-memory.dmp

Filesize
56KB

Download
memory/4276-6-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4276-9-0x0000000001440000-0x0000000001487000-memory.dmp

Filesize
284KB

Download
memory/4276-10-0x0000000000400000-0x00000000012D2000-memory.dmp

Filesize
14.8MB

Download
memory/4276-11-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads