31f2d3e29a4c173650f162d5b1ee60daf723476589a82b9f12618679242fe70e

General

Target

fdbde0c9d8c270d89c07a723b54d5a83_JaffaCakes118.exe
Size

208KB
MD5

fdbde0c9d8c270d89c07a723b54d5a83
SHA1

3c1050d9e339426393c918f933b0bca7cafa7e8b
SHA256

31f2d3e29a4c173650f162d5b1ee60daf723476589a82b9f12618679242fe70e
SHA512

f9947afbc2dee5bb45da177d6cb8e6c1d4b088229be24947c3563f89eab444fc6105ad6a001bf08926dfeac839f80bdee29800bf5b40e614cb19d98ea608ac70
SSDEEP

3072:ilxuF4BVY//+wZ6HSfs7OP/SqC8NmlOnAJ4TOM/Wk7A7FgWGAa2rP8Pz:ilkX3Mes7OnSuNmIv/WkstM278r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1048	u.dll
2604	u.dll
2472	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
2228	cmd.exe
2228	cmd.exe
2228	cmd.exe
2228	cmd.exe
2604	u.dll
2604	u.dll

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2228	1304	fdbde0c9d8c270d89c07a723b54d5a83_JaffaCakes118.exe	29
PID 1304 wrote to memory of 2228	1304	fdbde0c9d8c270d89c07a723b54d5a83_JaffaCakes118.exe	29
PID 1304 wrote to memory of 2228	1304	fdbde0c9d8c270d89c07a723b54d5a83_JaffaCakes118.exe	29
PID 1304 wrote to memory of 2228	1304	fdbde0c9d8c270d89c07a723b54d5a83_JaffaCakes118.exe	29
PID 2228 wrote to memory of 1048	2228	cmd.exe	30
PID 2228 wrote to memory of 1048	2228	cmd.exe	30
PID 2228 wrote to memory of 1048	2228	cmd.exe	30
PID 2228 wrote to memory of 1048	2228	cmd.exe	30
PID 2228 wrote to memory of 2604	2228	cmd.exe	31
PID 2228 wrote to memory of 2604	2228	cmd.exe	31
PID 2228 wrote to memory of 2604	2228	cmd.exe	31
PID 2228 wrote to memory of 2604	2228	cmd.exe	31
PID 2604 wrote to memory of 2472	2604	u.dll	32
PID 2604 wrote to memory of 2472	2604	u.dll	32
PID 2604 wrote to memory of 2472	2604	u.dll	32
PID 2604 wrote to memory of 2472	2604	u.dll	32
PID 2228 wrote to memory of 1448	2228	cmd.exe	33
PID 2228 wrote to memory of 1448	2228	cmd.exe	33
PID 2228 wrote to memory of 1448	2228	cmd.exe	33
PID 2228 wrote to memory of 1448	2228	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\fdbde0c9d8c270d89c07a723b54d5a83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdbde0c9d8c270d89c07a723b54d5a83_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\120A.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save fdbde0c9d8c270d89c07a723b54d5a83_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:1048
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\2DF3.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\2DF3.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe2DF4.tmp"
      4⤵
      Executes dropped EXE
      PID:2472
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:1448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\120A.tmp\vir.bat

Filesize
1KB

MD5
74eb6b224538e768c8211027428dabfc

SHA1
bd0d82d2e6f71a97f0d74b2234b45a6d0fe525d6

SHA256
65a1a4f3b2e70569678b1904901cf544fb43195d79ec040e7f3d278b09e0b9d6

SHA512
9c5626af96d702b6bec86e7aa2078a642d72d97da45a3805b9a2e69fc3ab949387423bc95b79ad93580a65500e302fa6162166cfd0e69f8d032a4628d737b228

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2DF4.tmp

Filesize
24KB

MD5
f680e9ae05faa8f515979455a15d34a8

SHA1
474bcbb3309059e5950ec06a370d42e290eefda8

SHA256
def67e83cf64e184ac206e4c7445ecf4151932bd2d05adb0623c014d94565093

SHA512
b9b403b2890005628fb1a1a90a5fb96d164bfe7605f180063000161fe7a2b8065589ba9934cb07233a84d169987c14b541deef3e7f896929e70a5724233eb413

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2DF4.tmp

Filesize
41KB

MD5
863c72510f3c30b4e2cd208090af8b92

SHA1
3c5a6732c904ba8c3004e257d5008beb5311b7af

SHA256
87454715574db5716ae855a6dd5a09f80a0ce0adba4699b485dc3152dc3ce544

SHA512
d7356b3561c3a8e84cc004d3852e3f8562023e4819e9e07e52b3fbdbb5645c64f9a436bcaea55b24e0fdd231b16d0941ad027db9870230db38a0ca81985d452b

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
e4127ceb5db948172fd241be25b36358

SHA1
5a01fa3772c6d27630d50c73fadac9508780c51a

SHA256
f3e8cd29180b07115d0d33a3ecf0c542da05680aee99971aa7e9bd2423597f70

SHA512
13dd5db60d2faeaee632b62a3c92b323215931250ed8a1513a0af9b92c335dbf4b6c458e266bc08431eccff36256203dc81488e6f83185bdee737eed1a82883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
9b40e0b16a38d0dc1500a2955f7613d7

SHA1
4f405f432fbb862ecc25410f0df02f1df8121b5a

SHA256
b102e752e151a54aa9c4c84423dde09f85f10dd0cdce2ee439640a14da09caa2

SHA512
6c22af7dc120d490604af7a379be9ce729f162a56fa4c8388fa431f0ab35e10d919e6662be51ade8b9e9444cb2930e714425020eb0f5a51c4b40ee36fbfe572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
4a36ecd6b5a1cdaf65f1b01e7ba14238

SHA1
d6db0044cd6aea088aa71a558341c425c39f0076

SHA256
4fb75597cdf7c4e0d140a8ea11fe66a6ee308ed471b1dfaaef1ba7cbfd71d8d9

SHA512
7818e47b41213c0d74472eb5f9b35a7c4157d5cc930f9d6c8e609afa5f9affdb56eda91da8f3500accf9ac0a6f96d7b3fd116bafefd0f64c9503b61182dc2d98

Download Submit
\Users\Admin\AppData\Local\Temp\2DF3.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/1304-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1304-113-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2472-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-95-0x0000000000530000-0x0000000000564000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads