7e2dda1ff76577a9709b8f2d10d65bd5661d916ad2bda573393a61f94ca5e76a

General

Target

8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
Size

169KB
MD5

8272e03f2189e9a7d42cbcb2b237d149
SHA1

c9209eb7a44a88e07cfb4baa6214f9c8173146f5
SHA256

7e2dda1ff76577a9709b8f2d10d65bd5661d916ad2bda573393a61f94ca5e76a
SHA512

8f93895af63741f71a002ed4c0d45700919bae036acd1cd3c2ae67944f661377ed88e82d66ca6246a1042e8cb432d7de31ae5df5a733ce8bfb757fb029da5dfb
SSDEEP

3072:ji+7qmKtwvnfoiLCf6vKOuKzPLUOiKuzd9es1M/7R69pwB071q/S6hGrx:jiU+t2oiLCkuUYO8ztk7s9m0cS6Mrx

Score

6^/10

discovery persistence upx

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/216-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1436-8-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/216-13-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4420-82-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/216-83-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/216-195-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 1436	216	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	84
PID 216 wrote to memory of 1436	216	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	84
PID 216 wrote to memory of 1436	216	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	84
PID 216 wrote to memory of 4420	216	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	95
PID 216 wrote to memory of 4420	216	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	95
PID 216 wrote to memory of 4420	216	8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8272e03f2189e9a7d42cbcb2b237d149_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8D82.1B7

Filesize
1KB

MD5
157eb1150affcc52aaee71f05c34ff16

SHA1
2c0731c0d70bf69ce92edb3aa6196b4a754ffe7d

SHA256
6c33063800f39e7d3ad16bde020bb950a6583b415acce4bc7ef152e71ab3fcfe

SHA512
f88a621f42f1c0ed7b52a05ca22c1931ef8a9ad2b07af495dd7cc6abeb4c8fa43f8f63126be603a5f939eb46b5682fba2504a69a0148f533a81cccbd8d1fb808

Download Submit
C:\Users\Admin\AppData\Roaming\8D82.1B7

Filesize
600B

MD5
75025922c173e6b4b0f2d89eddb15645

SHA1
df91ba83ea01ae18c223d6767016c9d0fb4b361b

SHA256
3239459575d86efdbebbafd0da334ded7ca94588cf1edfaf88e2c4d6abce4a04

SHA512
fb02943489e37221bf25d1f207b0e14af946879bdc96a36b6dece195d1270800eb61d38e9f916634c9a67f5306314656bc0c122021ab862b730028548583ee43

Download Submit
C:\Users\Admin\AppData\Roaming\8D82.1B7

Filesize
996B

MD5
296adb6ee4c4c333bc36dea06463f916

SHA1
c15db014f8b6b5658ba06514ced08288095f5e96

SHA256
51d93efae946f15a2a37d7dce78c7374184cdf26489e245f852659357b18adb6

SHA512
f7df299ba9749e2be860ead771b158ebcefc81ce956b9829e179dddca62249a583b3256156fa1ebcc1102cde11ad23838f3698a49995f279078bb2b4c879c263

Download Submit
memory/216-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/216-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/216-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/216-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/216-195-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1436-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4420-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads