4c75baeaeae732be06d8de4bf0903037b222fd9b512313590ab15f8379eff32f

General

Target

JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
Size

32KB
MD5

e26a83887c83a6078bbd5984cfd4b35e
SHA1

851b8a33f38e6ec95f6e4709e2e36d15e227afd7
SHA256

4c75baeaeae732be06d8de4bf0903037b222fd9b512313590ab15f8379eff32f
SHA512

87396c80ffcac241df73187acf716512b8df18970b1df2c521a45a7fb3506450b117eb87637ceba4ae73cc06ab13aca6a9572d272b162ce0fd1c067e9fec8227
SSDEEP

768:vaQ4ZapVSai7h2DKnNYaisB/YHBtuwgHR4E7t80gHieppOdFJM:v9TpcaQEmNY0JYHBtuw6SE7S1ie7OdFO

Score

10^/10

discovery evasion execution upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
4244	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4244	rundll32.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
File created	C:\Windows\SysWOW64\sysapp6.dll	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
File created	C:\Windows\SysWOW64\YUksuser.dll	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
File opened for modification	C:\Windows\SysWOW64\YUksuser.dll	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
File created	C:\Windows\SysWOW64\ksuser.dll	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
File created	C:\Windows\SysWOW64\YUmidimap.dll	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
File created	C:\Windows\SysWOW64\midimap.dll	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1484-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1484-10-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2332	sc.exe
2156	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 4332	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	83
PID 1484 wrote to memory of 4332	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	83
PID 1484 wrote to memory of 4332	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	83
PID 1484 wrote to memory of 2332	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	84
PID 1484 wrote to memory of 2332	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	84
PID 1484 wrote to memory of 2332	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	84
PID 1484 wrote to memory of 2156	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	85
PID 1484 wrote to memory of 2156	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	85
PID 1484 wrote to memory of 2156	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	85
PID 1484 wrote to memory of 4244	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	89
PID 1484 wrote to memory of 4244	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	89
PID 1484 wrote to memory of 4244	1484	JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe	89
PID 4332 wrote to memory of 436	4332	net.exe	90
PID 4332 wrote to memory of 436	4332	net.exe	90
PID 4332 wrote to memory of 436	4332	net.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e26a83887c83a6078bbd5984cfd4b35e.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:436
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2156
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1737363812.dat, ServerMain c:\users\admin\appdata\local\temp\jaffacakes118_e26a83887c83a6078bbd5984cfd4b35e.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1737363812.dat

Filesize
32KB

MD5
ed16295fa9301b5d8442bea33917b9e0

SHA1
741242d7d9e309d4ecadbf8630ad49e063c63d88

SHA256
d912f303aad6d0a403647bf641891160a8f189b358df6016dcb3a1b7becc3818

SHA512
67668d80d16f7f0c3fb13470ce17a2c67f5b658a2ff90e44e9f1471266e73974389b1e3a4639790fb7115c094071317ca3d329d127be47342fa96982d1579273

Download Submit
memory/1484-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1484-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing