9fcfbb8851003bd433b7d81f8ae3d56dd0a81dd5a8607bca7d74d88756bd15ea

General

Target

fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
Size

36KB
MD5

fbc3f0e790aafbd7f5bf39e28317d6ef
SHA1

f6ff9912af01302261fa7dfb98f71a85df5074ed
SHA256

9fcfbb8851003bd433b7d81f8ae3d56dd0a81dd5a8607bca7d74d88756bd15ea
SHA512

a4b0e08e6200d50653fefd4e87058734f76c4bcd40a71621712d0c6c59f2d514cd06428541f7363b0abeee51b4db5ce798888ab5d42ea82da66f024ce83e6382
SSDEEP

768:vtFUkLj9F+J4pE+GtOlfSmC5znWOjgJASvfUbP/PF7S:lF5LjfI4pE+/fSHznvgGYfUjF7S

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

device.exepart.exesysdevice.exe

pid process

2152 device.exe
2936 part.exe
2704 sysdevice.exe

pid	process
2152	device.exe
2936	part.exe
2704	sysdevice.exe

Loads dropped DLL 6 IoCs

Processes:

fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exedevice.exepart.exe

pid	process
1996	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
1996	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
2152	device.exe
2152	device.exe
2936	part.exe
2936	part.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\device.exe	upx
behavioral1/memory/2152-28-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2152-18-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 18 IoCs

Processes:

sysdevice.exepart.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe	part.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File opened for modification	C:\Windows\SysWOW64\sysdevice.exe	part.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe
File created	C:\Windows\SysWOW64\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe\sysdevice.exe	sysdevice.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

part.exesysdevice.exe

pid process

2936 part.exe
2704 sysdevice.exe

pid	process
2936	part.exe
2704	sysdevice.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exedevice.exepart.exe

description	pid	process	target process
PID 1996 wrote to memory of 2152	1996	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	device.exe
PID 1996 wrote to memory of 2152	1996	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	device.exe
PID 1996 wrote to memory of 2152	1996	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	device.exe
PID 1996 wrote to memory of 2152	1996	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	device.exe
PID 1996 wrote to memory of 2260	1996	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 2260	1996	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 2260	1996	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	WScript.exe
PID 1996 wrote to memory of 2260	1996	fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe	WScript.exe
PID 2152 wrote to memory of 2724	2152	device.exe	WScript.exe
PID 2152 wrote to memory of 2724	2152	device.exe	WScript.exe
PID 2152 wrote to memory of 2724	2152	device.exe	WScript.exe
PID 2152 wrote to memory of 2724	2152	device.exe	WScript.exe
PID 2152 wrote to memory of 2936	2152	device.exe	part.exe
PID 2152 wrote to memory of 2936	2152	device.exe	part.exe
PID 2152 wrote to memory of 2936	2152	device.exe	part.exe
PID 2152 wrote to memory of 2936	2152	device.exe	part.exe
PID 2936 wrote to memory of 2704	2936	part.exe	sysdevice.exe
PID 2936 wrote to memory of 2704	2936	part.exe	sysdevice.exe
PID 2936 wrote to memory of 2704	2936	part.exe	sysdevice.exe
PID 2936 wrote to memory of 2704	2936	part.exe	sysdevice.exe

C:\Users\Admin\AppData\Local\Temp\fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbc3f0e790aafbd7f5bf39e28317d6ef_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\device.exe
C:\Users\Admin\AppData\Local\Temp\device.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\temp.vbs"
3⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\part.exe
C:\Users\Admin\AppData\Local\Temp\part.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\sysdevice.exe
C:\Windows\system32\sysdevice.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\temp.vbs"
2⤵
PID:2260

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\part.exe
Filesize
13KB

MD5
4e208656781d3579104b17eeabc1e52c

SHA1
4dba53c0f1a82860562a64010345e7c1674e1313

SHA256
c311180fb753230292fc716c1940adf91485313521a53ec835a3d093b303727f

SHA512
7f9fd51bddbe4ba8c3df176457b80c52927aebc2d75941603419fd86119b64eff0064b175fe7bcdddaed81a8b7b1af7266126dc59211d3235299d1bbcb371001

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.vbs
Filesize
182B

MD5
99dee37e762756d28393116992973fda

SHA1
416881a428844842081d9248b6d411f3f189718b

SHA256
575e7ab3ad92622286f4b6a85541a82ef8f3184dea31a547e592bf2b6216b972

SHA512
eb014d471bfe17afdcc1650c5488197dd2bba55c36ee7526d9eaa3db982ec4c054499a00945908e6b6c323a135d33ba8c748225a4c20c41d3173212c9ac55a4f

Download Submit
\Users\Admin\AppData\Local\Temp\device.exe
Filesize
22KB

MD5
3579f05e7e1cff412674acec362b88d2

SHA1
9105b456d90b17bd00d4e6385222120b9352ad4d

SHA256
4a789f6d809fe94c8192b6cab843d89fc142f6c2e2bab53504a7450f70f91d3a

SHA512
0436b2f2178eeaec16af30640d439ef40e204be3673dd05b63d866755a04cbf63af5a75d37d6414b245eb44e609e1e3a427781bbc0baad743151d57a78139304

Download Submit
memory/1996-15-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/1996-17-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/1996-19-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2152-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2704-41-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2936-30-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2936-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads