d3c1c411550e4c14812b47f5576f36f4082644312483b8908228d3d364db9bb6

General

Target

e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe
Size

4.5MB
MD5

e838f6d36fbf4e265ac274030216b584
SHA1

69b023ccffa45092406bead777a5c3dd5ada5961
SHA256

d3c1c411550e4c14812b47f5576f36f4082644312483b8908228d3d364db9bb6
SHA512

2ad7c43f17b7f9dff0395b0db31799b3baf8dde874b7735846b57f139f831875005c03f3546b86a3ffc9bf9de0f500c8d74e33167782f3883f0990da7581dfe2
SSDEEP

98304:PX4z31nFnc3hnY2eRODwhZDO9e/DKeW+0byazx14:vE1n+3u2eIDwTDaODybya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2160	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
2580	Voluptas.exe

Loads dropped DLL 3 IoCs

pid	Process
2020	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe
2160	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
2160	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Delectus\unins000.dat	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\sit\is-CFV2D.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\sit\is-C34QD.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\sit\is-2ENB1.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\is-482P4.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\harum\is-U9I5K.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\harum\is-6L1UG.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\quaerat\is-A79VQ.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\sit\is-VQT8H.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\unins000.dat	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\is-R1G7S.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\harum\is-KCPTO.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\nemo\is-PHHCN.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\ut\is-3QKSE.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Delectus\harum\Voluptas.exe	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Delectus\harum\is-J6H6K.tmp	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2160	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
2160	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2160	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2160	2020	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2160	2020	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2160	2020	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2160	2020	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2160	2020	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2160	2020	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2160	2020	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2580	2160	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp	29
PID 2160 wrote to memory of 2580	2160	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp	29
PID 2160 wrote to memory of 2580	2160	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp	29
PID 2160 wrote to memory of 2580	2160	e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp	29

C:\Users\Admin\AppData\Local\Temp\e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\is-T7097.tmp\e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-T7097.tmp\e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp" /SL5="$80022,4059836,721408,C:\Users\Admin\AppData\Local\Temp\e838f6d36fbf4e265ac274030216b584_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Program Files (x86)\Delectus\harum\Voluptas.exe
    "C:\Program Files (x86)\Delectus/\harum\Voluptas.exe" 3f97056845059c859004ef5d0b34040f
    3⤵
    - Executes dropped EXE
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Delectus\harum\Voluptas.exe

Filesize
4.7MB

MD5
9c474a71a02523450b55bf5814d9d405

SHA1
b80acece588f54c19ad6a55b63308a0b414f22c1

SHA256
3b4d6e737e82cce1afa95a28f92a3aced97eb1893bd47489cbe03aac2a187cb0

SHA512
5dcb21b6b589ee0dc79305f2aacf119429e105ad3b218806ce9a6d225a4a5739a6e8c9554de580f0ecc6af02db5934081a831cd5307969724d4227d749a14a6c

Download Submit
\Users\Admin\AppData\Local\Temp\is-CVES3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-T7097.tmp\e838f6d36fbf4e265ac274030216b584_JaffaCakes118.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
memory/2020-48-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2020-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2020-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2160-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2160-49-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2160-53-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2580-47-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2580-46-0x0000000000400000-0x00000000016C1000-memory.dmp

Filesize
18.8MB

Download
memory/2580-45-0x0000000000400000-0x00000000016C1000-memory.dmp

Filesize
18.8MB

Download
memory/2580-50-0x0000000000400000-0x00000000016C1000-memory.dmp

Filesize
18.8MB

Download
memory/2580-60-0x0000000000400000-0x00000000016C1000-memory.dmp

Filesize
18.8MB

Download

Analysis

Sharing