0ac820de77d9ffa2a3ad907f8c08f4d64e990e2c643f4b584f76ebb648d2de51

General

Target

f4e6f5ff240e5fc0dd147d15affec6f3_JaffaCakes118.exe
Size

209KB
MD5

f4e6f5ff240e5fc0dd147d15affec6f3
SHA1

1b71c20a65332ae89d3871d2e279025aa2291406
SHA256

0ac820de77d9ffa2a3ad907f8c08f4d64e990e2c643f4b584f76ebb648d2de51
SHA512

8a84a9a4589e0735c75041ef1470e0eb21f56b10f4fa9eecf949abb770152606b1fd45a9666cbb53c3a56510c14dccbcd923522252d01a9e53007edbb602e536
SSDEEP

6144:/ldPBZgcI9Pl4H5S/k7kTgOoRA9eK1r6Qz/XAzllXl:jjgVlU5S/kYIsQl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4556	u.dll
844	mpress.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4192	Calculator.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 3364	1404	f4e6f5ff240e5fc0dd147d15affec6f3_JaffaCakes118.exe	85
PID 1404 wrote to memory of 3364	1404	f4e6f5ff240e5fc0dd147d15affec6f3_JaffaCakes118.exe	85
PID 1404 wrote to memory of 3364	1404	f4e6f5ff240e5fc0dd147d15affec6f3_JaffaCakes118.exe	85
PID 3364 wrote to memory of 4556	3364	cmd.exe	86
PID 3364 wrote to memory of 4556	3364	cmd.exe	86
PID 3364 wrote to memory of 4556	3364	cmd.exe	86
PID 4556 wrote to memory of 844	4556	u.dll	89
PID 4556 wrote to memory of 844	4556	u.dll	89
PID 4556 wrote to memory of 844	4556	u.dll	89
PID 3364 wrote to memory of 1828	3364	cmd.exe	91
PID 3364 wrote to memory of 1828	3364	cmd.exe	91
PID 3364 wrote to memory of 1828	3364	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\f4e6f5ff240e5fc0dd147d15affec6f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4e6f5ff240e5fc0dd147d15affec6f3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4229.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save f4e6f5ff240e5fc0dd147d15affec6f3_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\4304.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\4304.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4305.tmp"
      4⤵
      Executes dropped EXE
      PID:844
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:1828

C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4229.tmp\vir.bat

Filesize
1KB

MD5
b038220c7dd5ecd725160d408a1881ab

SHA1
1b8f9d4f88919651150f8c54706d71ff320fe048

SHA256
bf9803a5105a19620092c5871cff9645bb08879f44ac73eddb146eadaf89874c

SHA512
f40ae5209f27bbd1dcebf88e41f24346fc369b215cee8e16a5d1b80a0f366734a5d69565df40105e1494eb715f7c3ae1b96a20c07ae92f2fe8f16e2fbcd78377

Download Submit
C:\Users\Admin\AppData\Local\Temp\4304.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4305.tmp

Filesize
41KB

MD5
2962dfcac22070e3da981e1115397938

SHA1
09a2ddd77cc9265c1c9a3a0b3797ea5007e3bd28

SHA256
d47a5a1f144a7b1a0267ec604f18238419a29402b4ef51f1b2165f346ef88951

SHA512
8efe28ee9ba694a2cc010bb61736de3f7bc190c3656f814a700e9992391a174982fa21f16d24ce1c36876e095f1a76569183cee52048ae22102cac621beb422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4305.tmp

Filesize
42KB

MD5
72ae1c30bd99fd96bcbafbca84a60b05

SHA1
3157ebc337145df9fc0faa9e287119bec6ade624

SHA256
6b7ec7ffcf7f0c61c88d2711b9710030f6894d65c477c204842d4fc77f9bb78a

SHA512
dd2225f8c9eafb2444c2e8765cd26ab3b0c95f75b40467f8a1194873a99b905d15ea6d7c81d1acb718d03291a8c0a39250270cd41f3ebf24ec78bd4ed263db0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr43FE.tmp

Filesize
25KB

MD5
9c352a7eb07b2f6f1b065320229e9f17

SHA1
b06b801f94ba9a6d9b181b003e638924129f12e9

SHA256
c32c51235d12afb14ab44d97c8975fb049ed60156da7545ec0d59eb4690718df

SHA512
2dbbbd97a15157f0fab6a0e3f57074cb459440d4a5b06bca7d225889a2d4163bb2f3332f9b91abe62f547516192ad71b82af774d5811f2254cc11d99f046bd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
5b8b711c516ea3bfbfcce4e1785323e7

SHA1
0f165bb658546e5d6023a055a7338f490188e5dc

SHA256
d33c82f9bf158d05a37d007fc9d7f139880bae878e1b7fd090cbda55710eac08

SHA512
e3a05f15e2014e1fb821f804bab3e141f843e8fa3d1204cd57ba328f8af9ee0d4cf9aba1855e364cd43a61bf6f1f376a97be18d857f534805be2ff0f4e3e3395

Download Submit
memory/844-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1404-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1404-69-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads