12e4582053f3b63e933245f914ad81c68f0263c69c486193d27dc122a7f4b6cd

General

Target

f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe
Size

905KB
MD5

f75f4b412c6443f7673543e038ba3423
SHA1

a1fbf3a2f2e9ab189dcae9f02781697166621b20
SHA256

12e4582053f3b63e933245f914ad81c68f0263c69c486193d27dc122a7f4b6cd
SHA512

cbc9acc41464849a36514da79a06ead16023e386cae84535584793ff94176a94d5d2e41fb70bcd5f1f28369b44f9966d04491f49497c6873c6af503dc86dca1e
SSDEEP

24576:ZPkvygEJ0qqL9BY8KPhEMahbQpzB594ZK0l5C0:ZPGIIJBY7pyKpfgK0l5C0

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2748	setup70.exe
2552	install41.exe

Loads dropped DLL 9 IoCs

pid	Process
2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe
2748	setup70.exe
2748	setup70.exe
2748	setup70.exe
2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe
2552	install41.exe
2552	install41.exe
2552	install41.exe
2552	install41.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012272-1.dat	upx
behavioral1/memory/2544-3-0x0000000002CE0000-0x0000000002E6F000-memory.dmp	upx
behavioral1/memory/2748-10-0x0000000000400000-0x000000000058F000-memory.dmp	upx
behavioral1/files/0x0032000000015c4b-13.dat	upx
behavioral1/memory/2552-18-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2552-31-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2552-34-0x0000000000230000-0x0000000000273000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2552	install41.exe
2552	install41.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2748	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	27
PID 2544 wrote to memory of 2748	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	27
PID 2544 wrote to memory of 2748	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	27
PID 2544 wrote to memory of 2748	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	27
PID 2544 wrote to memory of 2748	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	27
PID 2544 wrote to memory of 2748	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	27
PID 2544 wrote to memory of 2748	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	27
PID 2544 wrote to memory of 2552	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	28
PID 2544 wrote to memory of 2552	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	28
PID 2544 wrote to memory of 2552	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	28
PID 2544 wrote to memory of 2552	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	28
PID 2544 wrote to memory of 2552	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	28
PID 2544 wrote to memory of 2552	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	28
PID 2544 wrote to memory of 2552	2544	f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f75f4b412c6443f7673543e038ba3423_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\setup70.exe
  C:\Users\Admin\AppData\Local\Temp\setup70.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\install41.exe
  C:\Users\Admin\AppData\Local\Temp\install41.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\bmC7F1.tmp

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\AppData\Local\Temp\install41.exe

Filesize
124KB

MD5
e7adceadeedd8965b19265bc3eeef441

SHA1
592e10969f4542830cfcc17e8195f5c31926fe2e

SHA256
3a191ff13d995939d6ece95c77b94a5f13dcc9b811abc3f38f6052da54aaf201

SHA512
a3d94a4d544efb3ce3e95a08bb9bd18f5a6948dd298f250cc38f76bbc7a1cf13f392ed3fda2119cf428fadf7dfb7c0ba3bc2e7de48a8158f893c36fdf626ebac

Download Submit
\Users\Admin\AppData\Local\Temp\setup70.exe

Filesize
752KB

MD5
2e2a0db9a96a1ce702d3327a9c4be073

SHA1
156f9a113b1ae98bc743ba7e5eba0e9a62078f78

SHA256
224f378b3dc1cd22a86984af356fc4acce5f4522d3a52e8d8d791924541341cc

SHA512
f2b6c84a8e44eefd6eb4115a331595d9d14ff05bf68779d2c5d74c916fad0976bbac3c05226873ac83fb62ba92ab5e085e1f1bd7934e23776a580419d4f47707

Download Submit
memory/2544-3-0x0000000002CE0000-0x0000000002E6F000-memory.dmp

Filesize
1.6MB

Download
memory/2544-30-0x0000000000430000-0x0000000000473000-memory.dmp

Filesize
268KB

Download
memory/2544-17-0x0000000000430000-0x0000000000473000-memory.dmp

Filesize
268KB

Download
memory/2544-29-0x0000000002CE0000-0x0000000002E6F000-memory.dmp

Filesize
1.6MB

Download
memory/2552-32-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-37-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-23-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2552-28-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-59-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-57-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-33-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2552-34-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2552-35-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-24-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2552-39-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-41-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-43-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-45-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-47-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-49-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-51-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-53-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2552-55-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2748-10-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2748-12-0x0000000000B60000-0x0000000000CEF000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing