5c4a015c81f634b97083c5a157801d9ff040daa88e6cafa0c6891e77aa21fb64

General

Target

f9f30cdc15b44769afb959857e9bafc6_JaffaCakes118.exe
Size

208KB
MD5

f9f30cdc15b44769afb959857e9bafc6
SHA1

f0ad481646df4c9546c9582725c5a194941811a9
SHA256

5c4a015c81f634b97083c5a157801d9ff040daa88e6cafa0c6891e77aa21fb64
SHA512

b7f52fd5048bb78edd5704d1249f7e5d22b8ecbc99b305a85d07ba6fcf3c30d75310bcae573182bd49b06fa45e749208292483cc479c528314392bebcbb94c55
SSDEEP

6144:ml0n6auZTJ4Kw1KnzmxpC2cj4257ZGYAo0ApmD:xn6auZTJK8zrjH5wYAoLpm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2524	u.dll
2544	u.dll
2868	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
2928	cmd.exe
2928	cmd.exe
2928	cmd.exe
2928	cmd.exe
2544	u.dll
2544	u.dll

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2928	1948	f9f30cdc15b44769afb959857e9bafc6_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2928	1948	f9f30cdc15b44769afb959857e9bafc6_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2928	1948	f9f30cdc15b44769afb959857e9bafc6_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2928	1948	f9f30cdc15b44769afb959857e9bafc6_JaffaCakes118.exe	29
PID 2928 wrote to memory of 2524	2928	cmd.exe	30
PID 2928 wrote to memory of 2524	2928	cmd.exe	30
PID 2928 wrote to memory of 2524	2928	cmd.exe	30
PID 2928 wrote to memory of 2524	2928	cmd.exe	30
PID 2928 wrote to memory of 2544	2928	cmd.exe	31
PID 2928 wrote to memory of 2544	2928	cmd.exe	31
PID 2928 wrote to memory of 2544	2928	cmd.exe	31
PID 2928 wrote to memory of 2544	2928	cmd.exe	31
PID 2544 wrote to memory of 2868	2544	u.dll	32
PID 2544 wrote to memory of 2868	2544	u.dll	32
PID 2544 wrote to memory of 2868	2544	u.dll	32
PID 2544 wrote to memory of 2868	2544	u.dll	32
PID 2928 wrote to memory of 2624	2928	cmd.exe	33
PID 2928 wrote to memory of 2624	2928	cmd.exe	33
PID 2928 wrote to memory of 2624	2928	cmd.exe	33
PID 2928 wrote to memory of 2624	2928	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\f9f30cdc15b44769afb959857e9bafc6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9f30cdc15b44769afb959857e9bafc6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\1258.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save f9f30cdc15b44769afb959857e9bafc6_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2524
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\2E32.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\2E32.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe2E33.tmp"
      4⤵
      Executes dropped EXE
      PID:2868
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1258.tmp\vir.bat

Filesize
1KB

MD5
ec0a46eb8b0026b7fdaef39c2e19a98a

SHA1
01647bf7a328ee95ef99cbd3ea5904d6bc007155

SHA256
3e99ce0ba7eaac0bb4a27a19811c2a8b306ac93d994dafa2d0307751d9cfdebc

SHA512
ddd234b07d74ef677657bf9029da46344cf6b98f12f30e045652cc692490bf2a6a075c932c87f10d442e5790ab4c39d1be55cb66a65df4334055272b89456a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E32.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2E33.tmp

Filesize
24KB

MD5
d4cc8079170c36bc2ed96932abce3ae1

SHA1
a9d6947389e98106859e656da214ae9f53757946

SHA256
3f25abd11cecf55b92ef59c4d806a5f8d325d01eb63d8520c7fb6f424ff36d7b

SHA512
0ff6b44d497c56dad1d5fe0df3d9a8cd64c6e1fb4e88d8c0e77aeb67082d6d21a92478c759cb8a03c8b478aec3b9f4d3b7ff6e58c83bb776609e6310f362ae27

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2E33.tmp

Filesize
41KB

MD5
02715a4b432f3804e8e071e403bc20bb

SHA1
e9f78fec93c6bab25fde6f1e428451c1d72680a4

SHA256
c32141e78c6b89fc670ce80893be58e270a10e37aace8819021468e5415a5aad

SHA512
fbafe6e5226a5b00a0f8531a8f22a3e3aabcaefff9d048721c2efe198ea2f31dc74c8a5cc60e2a67db50059d0ab53244b7c92b8fef898b17a7feaca5ddc7f3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2E33.tmp

Filesize
41KB

MD5
7aa367dca7be65e07b16bd69f06263e3

SHA1
d447739251408f8e8490a9d307927bfbe41737ce

SHA256
738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076

SHA512
d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
b451111cbb9a3a66fffc7f031ad130f9

SHA1
cd7be1294309900f13f8b25a493400bbbcc69c5a

SHA256
a7e1fabcb46e8a59252e6f737e6b10dde14d2fbcef0a9ed94b1a94bd2fd4242b

SHA512
8a38efe6822cbf90ea730fe99bf9759de68a60a2bd620ec3839209aa09b5a6dfd25db8615071c7848bc7a571242cc76aea8bdfedeb787379c3d87e25f73cbfe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
ecaa55044f5cb8d9a714e765e77896d9

SHA1
b33a3496091154fd57f7c623be4065b754ddc830

SHA256
0896239747b65c26012c1a29819a3d908eff72490885fbc4079fe5760600dc51

SHA512
0dfa49ff5d5379731a29fd7de71aa00f1e159e030575efdabfa2b555e07d4687feb718f90aff9650eda9e8d23c9f15e1fc903e69b375c33509ef5fc0e6c63ead

Download Submit
memory/1948-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1948-113-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2544-96-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download
memory/2544-88-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download
memory/2868-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads