2e41bbaaee53c79ad69bd90a4d5bd4a6b8703aa5f90ebd154c9af0c63972c844

General

Target

JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe
Size

363KB
MD5

9443e840ac07a44d629fd0f37d027252
SHA1

cc116c036a943552fc407315b30a184e6efb0966
SHA256

2e41bbaaee53c79ad69bd90a4d5bd4a6b8703aa5f90ebd154c9af0c63972c844
SHA512

a10be712392bd7a52b2ca71f1237e0da2096cb1bcc77e9d509b8afc59973b06f69331c40815503379a1485aed4caed1fa3c3601c60860a1a067b2984052716d4
SSDEEP

6144:yKWnMbzIHKAYx23WyCRxA9WhO4ZDSczLVwq9tXfzB/dvmrmab6yH:ywoqAY2WDRnO6dwq/X7Btzc

Score

7^/10

discovery persistence phishing upx

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 3 IoCs

pid	Process
1084	ihrqfd.exe
2528	ihrqfd.exe
1816	ihrqfd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinLoader = "ihrqfd.exe"	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinLoader = "ihrqfd.exe"	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2092-0-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/files/0x000b000000024052-6.dat	upx
behavioral2/memory/2528-11-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1084-13-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/2092-14-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/2092-20-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-22-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-23-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-24-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-25-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-26-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-27-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-28-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-29-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-30-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-31-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-32-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-33-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-34-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-35-0x0000000000400000-0x0000000000501000-memory.dmp	upx
behavioral2/memory/1816-36-0x0000000000400000-0x0000000000501000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ihrqfd.exe	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe
File created	C:\Windows\~temp.bat	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihrqfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihrqfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihrqfd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	ihrqfd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ihrqfd.exe
Key opened	\REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 1084	1528	cmd.exe	91
PID 1528 wrote to memory of 1084	1528	cmd.exe	91
PID 1528 wrote to memory of 1084	1528	cmd.exe	91
PID 2464 wrote to memory of 2528	2464	cmd.exe	92
PID 2464 wrote to memory of 2528	2464	cmd.exe	92
PID 2464 wrote to memory of 2528	2464	cmd.exe	92
PID 2092 wrote to memory of 1816	2092	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe	96
PID 2092 wrote to memory of 1816	2092	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe	96
PID 2092 wrote to memory of 1816	2092	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe	96
PID 2092 wrote to memory of 3764	2092	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe	97
PID 2092 wrote to memory of 3764	2092	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe	97
PID 2092 wrote to memory of 3764	2092	JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9443e840ac07a44d629fd0f37d027252.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\ihrqfd.exe
  C:\Windows\ihrqfd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\~temp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihrqfd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\ihrqfd.exe
  ihrqfd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ihrqfd.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\ihrqfd.exe
  ihrqfd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ihrqfd.exe

Filesize
363KB

MD5
9443e840ac07a44d629fd0f37d027252

SHA1
cc116c036a943552fc407315b30a184e6efb0966

SHA256
2e41bbaaee53c79ad69bd90a4d5bd4a6b8703aa5f90ebd154c9af0c63972c844

SHA512
a10be712392bd7a52b2ca71f1237e0da2096cb1bcc77e9d509b8afc59973b06f69331c40815503379a1485aed4caed1fa3c3601c60860a1a067b2984052716d4

Download Submit
C:\Windows\~temp.bat

Filesize
249B

MD5
5188ea6e78978b5bf69a06c8ef0fc1d2

SHA1
6ca73a09b8c689a3a016852e429cc490bf39a7f3

SHA256
f77cd786ccb77e65714cfc1abd7dd6fd01c7ca5710709264f62c0ec80b9f4ba1

SHA512
c0df3d08ba4a1c90c26f8cd7cd1f5d7612e19e41e23bf2c54bb5134cc12246b3d79c5663ba753a2418f64687581d95c5803dfa1093d7fb429357bb76b19bbcac

Download Submit
memory/1084-13-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1084-9-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1816-23-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-31-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-36-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-35-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-34-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-33-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-32-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-22-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-30-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-24-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-25-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-26-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-27-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-28-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1816-29-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2092-0-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2092-1-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2092-20-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2092-15-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2092-14-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2528-11-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2528-8-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads