732223a1f8f887a14bed0ed7936952878e86c34a539a4eefdab88c1fc0edbde7

General

Target

4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Size

100KB
MD5

4680517f23a325c457cc85781a75015c
SHA1

ab0f9c1885e315eeb1077280543706168dba4a04
SHA256

732223a1f8f887a14bed0ed7936952878e86c34a539a4eefdab88c1fc0edbde7
SHA512

a411e2cfe0650c8c5f416ea0b1a5871c15554e813c41a5066845ddfd5792ad005f80a2e45b020fc7cf8fda52df7fa9197e93de6d894da169de30f9f03c2fe993
SSDEEP

1536:X+yFe8bF79mMlgpgZ+NFV4FvEdNUZr97qw90r26A/9nHHNqTHN9Itlc:O2DFYMXZ+NFEbZr97TeKIN2tlc

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000014b54-6.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2088	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2792	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
2792	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
2792	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
2088	svchost.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\N:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\O:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\H:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\P:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\S:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\T:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\U:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\V:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\L:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\I:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\G:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\K:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\M:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\Q:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\R:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened (read-only)	\??\E:	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2792-0-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2792-8-0x00000000001B0000-0x00000000001CF000-memory.dmp	upx
behavioral1/files/0x0009000000014b54-6.dat	upx
behavioral1/files/0x000b000000012029-9.dat	upx
behavioral1/memory/2792-20-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2088-16-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2088-22-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2088-34-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2088-35-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\svchost.exe	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File created	C:\Program Files (x86)\VYOSD.dll	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\VYOSD.dll	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32\ = "C:\\PROGRA~2\\VYOSD.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32\ThreadingModel = "Apartment"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VYOSD.ShellExecuteHook1007\Clsid	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ = "Maihook1007"	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32\ = "C:\\PROGRA~2\\VYOSD.dll"	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VYOSD.ShellExecuteHook1007	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile = "051037068052045076082051049032098048007066184015214005244076202121009102212152250022079169125022093023174080039242199241086099031053210"	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ProgID\ = "VYOSD.ShellExecuteHook1007"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ProgID	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VYOSD.ShellExecuteHook1007\Clsid	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ProgID\ = "VYOSD.ShellExecuteHook1007"	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ = "Maihook1007"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VYOSD.ShellExecuteHook1007\ = "Maihook1007"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VYOSD.ShellExecuteHook1007	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VYOSD.ShellExecuteHook1007\Clsid\ = "{78E611A2-E484-4A0D-811E-C40100A3F452}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\EFile = "050045090052045079086028049032108055145066009101209058102029022149044193192151230237245245080196008033060082138028049200096"	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32\ThreadingModel = "Apartment"	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VYOSD.ShellExecuteHook1007\ = "Maihook1007"	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VYOSD.ShellExecuteHook1007\Clsid\ = "{78E611A2-E484-4A0D-811E-C40100A3F452}"	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ProgID	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2088	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2088	2792	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2088	2792	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2088	2792	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe	28
PID 2792 wrote to memory of 2088	2792	4680517f23a325c457cc85781a75015c_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\4680517f23a325c457cc85781a75015c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4680517f23a325c457cc85781a75015c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\svchost.exe
  "C:\Program Files\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\VYOSD.dll

Filesize
144KB

MD5
d57af4ee7f99237b7bd650d5f46e88bb

SHA1
99c85c20299fde65702cdb4248a8918a1112e55d

SHA256
be351274443b3a70a089a14180a57f88cafba651fd4d770654b3100ff29718ab

SHA512
4bb41c8e974d02b813c5bb1dca50a24daab29db91ca81eb89aab6019276ea3423c6efd971d6024603216b9c8fa3276105424c3ca0e7bb71c64d3185c9add6927

Download Submit
\Program Files\svchost.exe

Filesize
100KB

MD5
73c01393d748bac453ac9ae74470fc78

SHA1
07bdfc19721e42d5c8876a225a5a056a6501d3e0

SHA256
23b50fc3da222815252f3da2ae6be3887e7c6b49877f03067e90125140d02f4d

SHA512
62659b230ce238c34b7131b7a19592a5d7540f90a8a3e746d1f0caa064fe4e6f611460de953c82c0e068435516efe4908f0b5d6dc441c4a8319b426e8f607770

Download Submit
memory/2088-21-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/2088-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-34-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-35-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2792-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2792-8-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/2792-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing