80e70808c8138bd4c11cb151e3ac1e35e550c545d7670206499da8e8b0f6a953

General

Target

fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe
Size

208KB
MD5

fc81235e35bc93e91cd97ec890c02b74
SHA1

b12a844774261070d3123de14371afe1588c74f2
SHA256

80e70808c8138bd4c11cb151e3ac1e35e550c545d7670206499da8e8b0f6a953
SHA512

c3bfaae2c669143275d48d2b1d02565a6341be254e5dd5614d0882cb6084fbc6d95e3a12c46def8b00a2c3beb807b912694e96a9449d10ce92815c0d2693235e
SSDEEP

6144:hl4mjZF//MrI3L0SksjkIwUc7zJ66cgDKgr8wVcmzt:Zr//eMkhIwUc70mD/Bcmz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3012	u.dll
2420	u.dll
1888	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2420	u.dll
2420	u.dll

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2516	2156	fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2516	2156	fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2516	2156	fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2516	2156	fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe	29
PID 2516 wrote to memory of 3012	2516	cmd.exe	30
PID 2516 wrote to memory of 3012	2516	cmd.exe	30
PID 2516 wrote to memory of 3012	2516	cmd.exe	30
PID 2516 wrote to memory of 3012	2516	cmd.exe	30
PID 2516 wrote to memory of 2420	2516	cmd.exe	31
PID 2516 wrote to memory of 2420	2516	cmd.exe	31
PID 2516 wrote to memory of 2420	2516	cmd.exe	31
PID 2516 wrote to memory of 2420	2516	cmd.exe	31
PID 2420 wrote to memory of 1888	2420	u.dll	32
PID 2420 wrote to memory of 1888	2420	u.dll	32
PID 2420 wrote to memory of 1888	2420	u.dll	32
PID 2420 wrote to memory of 1888	2420	u.dll	32
PID 2516 wrote to memory of 1512	2516	cmd.exe	33
PID 2516 wrote to memory of 1512	2516	cmd.exe	33
PID 2516 wrote to memory of 1512	2516	cmd.exe	33
PID 2516 wrote to memory of 1512	2516	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2414.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:3012
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\3F9F.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\3F9F.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3FA0.tmp"
      4⤵
      Executes dropped EXE
      PID:1888
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2414.tmp\vir.bat

Filesize
1KB

MD5
3f9d41dcc7d7787236d2686e50750b32

SHA1
17ec9a93fed688a6529fb857c22f619e6cf45f5f

SHA256
472e148396788a4b678d4c7ed237e7c5577ad4758c9fee990bdbeb36f802232c

SHA512
0cdace403fb99c76ab8c73c349e61f4cb6c155cf43bd7d528e6d6b200fdea5a7c55cf302edd817244b1054b5f0cac486722a367766ed7cc3cccf4abd86ea8d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3FA0.tmp

Filesize
41KB

MD5
9cdcf02f847ddde1f3b62c676c5cc737

SHA1
1e28bc7716cb6adb55b1b397dbabbe31adba3cf2

SHA256
d7726cc05bcd788912a23fc85f233775da28cb0d4d2920c2be66e5cc69e2b7ae

SHA512
438303dceafa36ac40271d6b7759248357109cc479a53dd4eb472ab35d51f333f629be2da54fc113bcdcf2bb4bdf4201b5075351842d20d7e818c80a31b88e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3FA0.tmp

Filesize
24KB

MD5
eb5c17e4c5dea19267f445fef0699c13

SHA1
e651b2abf62d10687c704b49416ad91d5fcaeb87

SHA256
f53b5c0c5d0b67cdcaf2139d550b035de003d94a86a80a9d77bb70100e3e7e0c

SHA512
505ac3d12c48234ed1fd72fa3bc75f27cda923dc89666552ac1de8f17e51d8473c315ba7ec682fd703e17cbe81bb3d7d04485839d0a0481c96a4db1fd07eebf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3FA0.tmp

Filesize
41KB

MD5
9f3c888dc0e59c4e7c309dc01b189a11

SHA1
4ca0128bafb094f389d3c6eb806a5f2e13e1ea42

SHA256
6354ef941e5047eb0abdb509bc47b2d10030bf0b1b722cc99b44274b22701e36

SHA512
44486f8a61310a636b3a0eccbc31c66e106a4bc8f8342526c2e02a45ec5ef130ea4420d7bc8c09fcd5372b451aad9a8af5eb23a9b47c9d19c14e58e14b98de64

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
ac3e2f16df5b8e004bc7528957957c95

SHA1
318dfb96abdc8e9d3778788dfdbb1f3dba885fba

SHA256
c53ac431faed8f5ab7c67b254f913efe0dceaafdbf26b02b930d07f45d840fe2

SHA512
4c60d3b255c38807a104e4362493dbf651fb8893633e94ee9a4c69770773f8d7bf95d310051154b9bd74d6eb1993626a5eb107e74e891d681f0398c64a7ebaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
7d835ca670a67d265dfc3109269b5d39

SHA1
6c6de3dcace396aa12e7fa1bc316ed3f108e34f2

SHA256
dadc386394b7609e551df7be525a868b388c0585f6ef705978fb1965a9e1bc21

SHA512
18d88a08944a68bd1831874a18b10de4fff3c5c023a802afa227093a647d176e2af4c37736ceb6ce5193516e6f2d831423de1481344fd89b28e0e1a8bc3e0e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
7da0d3e8b1c96ae9584bf3f96d423b89

SHA1
a65201b24e3b2be09830fe1d99c40c08a646df57

SHA256
508d56e401c31136dcb9fde56ec77e88912a7fa5711be364f65742c54f90f3d2

SHA512
d39842487ade31e7bd350222c37f657a0b194ad69c680e45d69a98a875c67f90b43031c3302804738e2bb8f56585b563929872455fbbdd10bdcb89f35ae68773

Download Submit
\Users\Admin\AppData\Local\Temp\3F9F.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/1888-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2156-113-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2420-96-0x0000000001D10000-0x0000000001D44000-memory.dmp

Filesize
208KB

Download
memory/2420-89-0x0000000001D10000-0x0000000001D44000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads