9e8f48eb767fcc815e52b001490086397079986a8389ae9d239097128546024f

General

Target

e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe
Size

23KB
MD5

e2abbf30e779a5f8931222f7398e2ee1
SHA1

ce71ed03848d2f908237c397fe17b539c969e6a4
SHA256

9e8f48eb767fcc815e52b001490086397079986a8389ae9d239097128546024f
SHA512

e683298bd2adbe042489116a6f01dd58491f661cb9604baab700f4f5c192e71caa6f0300552e6ce0d7a7596c336b2d28b0e26ef5e94fea0d3fcf5280c5a5a84e
SSDEEP

384:bOiObYq5/pvqLyqSbSq0eK5zM+4P/8JI3ryKOxZ9J9m/D6TXPhPf+fF6b2pO7:cbN5hSZBNzJEX3rf6XPh+4H

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2724	N0h530SI.exe
2392	j2O30M5I.exe
2612	37LU7qL0.exe
1696	Daq56m7k.exe

Loads dropped DLL 8 IoCs

pid	Process
1796	e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe
1796	e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe
2724	N0h530SI.exe
2724	N0h530SI.exe
2392	j2O30M5I.exe
2392	j2O30M5I.exe
2612	37LU7qL0.exe
2612	37LU7qL0.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1796-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1796-1-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/files/0x00090000000121f4-5.dat	upx
behavioral1/memory/1796-6-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1796-7-0x00000000005E0000-0x00000000005EC000-memory.dmp	upx
behavioral1/memory/2724-15-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2724-31-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2392-33-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1796-51-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2392-53-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2392-54-0x0000000000560000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/2612-55-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2724-76-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2612-78-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2612-90-0x00000000024E0000-0x00000000024EC000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\j2O30M5I.exe	N0h530SI.exe
File opened for modification	C:\Windows\SysWOW64\j2O30M5I.exe	N0h530SI.exe
File created	C:\Windows\SysWOW64\37LU7qL0.exe	j2O30M5I.exe
File opened for modification	C:\Windows\SysWOW64\37LU7qL0.exe	j2O30M5I.exe
File created	C:\Windows\SysWOW64\Daq56m7k.exe	37LU7qL0.exe
File opened for modification	C:\Windows\SysWOW64\Daq56m7k.exe	37LU7qL0.exe
File created	C:\Windows\SysWOW64\N0h530SI.exe	e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\N0h530SI.exe	e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2724	1796	e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2724	1796	e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2724	1796	e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2724	1796	e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe	28
PID 2724 wrote to memory of 2392	2724	N0h530SI.exe	31
PID 2724 wrote to memory of 2392	2724	N0h530SI.exe	31
PID 2724 wrote to memory of 2392	2724	N0h530SI.exe	31
PID 2724 wrote to memory of 2392	2724	N0h530SI.exe	31
PID 2392 wrote to memory of 2612	2392	j2O30M5I.exe	33
PID 2392 wrote to memory of 2612	2392	j2O30M5I.exe	33
PID 2392 wrote to memory of 2612	2392	j2O30M5I.exe	33
PID 2392 wrote to memory of 2612	2392	j2O30M5I.exe	33
PID 2612 wrote to memory of 1696	2612	37LU7qL0.exe	35
PID 2612 wrote to memory of 1696	2612	37LU7qL0.exe	35
PID 2612 wrote to memory of 1696	2612	37LU7qL0.exe	35
PID 2612 wrote to memory of 1696	2612	37LU7qL0.exe	35

C:\Users\Admin\AppData\Local\Temp\e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\N0h530SI.exe
  "C:\Windows\system32\N0h530SI.exe" C:\Users\Admin\AppData\Local\Temp\e2abbf30e779a5f8931222f7398e2ee1_JaffaCakes118.exe -firstrun
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\j2O30M5I.exe
    "C:\Windows\system32\j2O30M5I.exe" C:\Windows\SysWOW64\N0h530SI.exe -firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\37LU7qL0.exe
      "C:\Windows\system32\37LU7qL0.exe" C:\Windows\SysWOW64\j2O30M5I.exe -firstrun
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\Daq56m7k.exe
        
        "C:\Windows\system32\Daq56m7k.exe" C:\Windows\SysWOW64\37LU7qL0.exe -firstrun
        5⤵
        Executes dropped EXE
        
        PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\N0h530SI.exe

Filesize
23KB

MD5
e2abbf30e779a5f8931222f7398e2ee1

SHA1
ce71ed03848d2f908237c397fe17b539c969e6a4

SHA256
9e8f48eb767fcc815e52b001490086397079986a8389ae9d239097128546024f

SHA512
e683298bd2adbe042489116a6f01dd58491f661cb9604baab700f4f5c192e71caa6f0300552e6ce0d7a7596c336b2d28b0e26ef5e94fea0d3fcf5280c5a5a84e

Download Submit
memory/1796-51-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1796-1-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1796-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1796-7-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/1796-14-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/1796-85-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/1796-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2392-64-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2392-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2392-53-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2392-54-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2612-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2612-78-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2612-90-0x00000000024E0000-0x00000000024EC000-memory.dmp

Filesize
48KB

Download
memory/2724-40-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2724-32-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2724-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2724-76-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2724-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing