021e5d6758b9cfa7288439fd7023deea00abbb9dcbffe06ddfd9708459350f97

General

Target

848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
Size

114KB
MD5

848c33fc0dfb04e65b930c4331fcf465
SHA1

ed27ab0d8200b113fac946b535795ffc398d066b
SHA256

021e5d6758b9cfa7288439fd7023deea00abbb9dcbffe06ddfd9708459350f97
SHA512

bbea84c0fef464e45f2daecdec057f9d2da2f6021a8449e2587d2ece859ead3309d5c1cad8c3373c03125f2869a0444e51ba21af60f694592042654d5421c074
SSDEEP

1536:lY0mCcjyMXNF2PAL+rWximfdG2m42J3Br0/7J/AMjRpyB1voj/ztvHbcJvdXLjFW:W0mCUxX6IL+axiYHqYJGBWzcJvHJiN

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

skybot.exeskybot.exe

pid process

1644 skybot.exe
848 skybot.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe

pid	process
1644	skybot.exe
848	skybot.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

skybot.exe848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe"	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe"	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe"	skybot.exe

Drops file in System32 directory 3 IoCs

Processes:

848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exeskybot.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\skybot.exe	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\skybot.exe	skybot.exe
File created	C:\Windows\SysWOW64\skybot.exe	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2720-0-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2720-9-0x0000000000400000-0x0000000000433000-memory.dmp	upx
C:\Windows\SysWOW64\skybot.exe	upx
behavioral2/memory/1644-13-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/848-15-0x0000000000400000-0x0000000000433000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

skybot.exe848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skybot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe

Modifies registry class 6 IoCs

Processes:

skybot.exeskybot.exe848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	skybot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	skybot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	skybot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exeskybot.exe

pid process

2720 848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
2720 848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
1644 skybot.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exeskybot.exe

description pid process

Token: SeDebugPrivilege 2720 848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
Token: SeDebugPrivilege 1644 skybot.exe

pid	process
2720	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
2720	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
1644	skybot.exe

description	pid	process
Token: SeDebugPrivilege	2720	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
Token: SeDebugPrivilege	1644	skybot.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exeskybot.exe

description	pid	process	target process
PID 2720 wrote to memory of 1644	2720	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe	skybot.exe
PID 2720 wrote to memory of 1644	2720	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe	skybot.exe
PID 2720 wrote to memory of 1644	2720	848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe	skybot.exe
PID 1644 wrote to memory of 848	1644	skybot.exe	skybot.exe
PID 1644 wrote to memory of 848	1644	skybot.exe	skybot.exe
PID 1644 wrote to memory of 848	1644	skybot.exe	skybot.exe

C:\Users\Admin\AppData\Local\Temp\848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\848c33fc0dfb04e65b930c4331fcf465_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\skybot.exe
C:\Windows\system32\skybot.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\skybot.exe
C:\Windows\system32\skybot.exe
3⤵
- Executes dropped EXE
- Modifies registry class
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\skybot.exe

Filesize
114KB

MD5
848c33fc0dfb04e65b930c4331fcf465

SHA1
ed27ab0d8200b113fac946b535795ffc398d066b

SHA256
021e5d6758b9cfa7288439fd7023deea00abbb9dcbffe06ddfd9708459350f97

SHA512
bbea84c0fef464e45f2daecdec057f9d2da2f6021a8449e2587d2ece859ead3309d5c1cad8c3373c03125f2869a0444e51ba21af60f694592042654d5421c074

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
7465dc5adfaaf6f86e2cd02695192abc

SHA1
481102747570255b86563ed5c2be79cf003c3fc9

SHA256
c15033e0bc0f14def3232150f0648cf3d4d98a26f4710fa00ae948fee7a5c391

SHA512
ca96636c3a6e4d65e951b7bba82ce5b9faea47f6d004cb925730e7fa3572e2903b21b0fcb326eff9cfba614a16a852c9513bb763e673690c1e244605a459765d

Download Submit
memory/848-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads