05c1a06ae5d97821d6d495f478965b45326bfd869502258b4cc123d78d54e7f9

General

Target

05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
Size

283KB
MD5

05f73e480c01d1f965493b324d36ecf2
SHA1

e15e13cd756cda97d607d9e2326b78d1a262cfbc
SHA256

05c1a06ae5d97821d6d495f478965b45326bfd869502258b4cc123d78d54e7f9
SHA512

987af2c4819bf792e9a601707f5daa288e6bc8c4bbdea4bd990c74d8a9a3aaed8b7ee5bfb2847b2da92d0f1855ec2fa31748e4a790eefae9013e21cd67119668
SSDEEP

6144:SUp/B8APOTBj5zzZVTB6JENPDXclQ9DK9mBaUZhDRPYu:SGO1Vz3TB6UTclQ9v9Yu

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002325b-2.dat	acprotect
behavioral2/files/0x000900000002325c-57.dat	acprotect
behavioral2/files/0x000700000002325e-73.dat	acprotect

Loads dropped DLL 35 IoCs

pid	Process
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
380	05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002325b-2.dat	upx
behavioral2/memory/380-3-0x0000000074A50000-0x0000000074AB9000-memory.dmp	upx
behavioral2/memory/380-54-0x0000000074A50000-0x0000000074AB9000-memory.dmp	upx
behavioral2/files/0x000900000002325c-57.dat	upx
behavioral2/memory/380-60-0x0000000074AA0000-0x0000000074AB7000-memory.dmp	upx
behavioral2/memory/380-77-0x0000000074AB0000-0x0000000074ABA000-memory.dmp	upx
behavioral2/files/0x000700000002325e-73.dat	upx
behavioral2/memory/380-82-0x00000000747F0000-0x0000000074859000-memory.dmp	upx
behavioral2/memory/380-102-0x00000000747F0000-0x0000000074859000-memory.dmp	upx
behavioral2/memory/380-128-0x00000000747F0000-0x0000000074859000-memory.dmp	upx
behavioral2/memory/380-137-0x00000000747F0000-0x0000000074859000-memory.dmp	upx
behavioral2/memory/380-170-0x00000000747F0000-0x0000000074859000-memory.dmp	upx
behavioral2/memory/380-182-0x00000000747F0000-0x0000000074859000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05f73e480c01d1f965493b324d36ecf2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3836 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsiFF41.tmp\extra.dll

Filesize
177KB

MD5
ddc0cd4c52586a7d90e498a660f4c771

SHA1
493f0f3d65018a7e659bef143665f495ad9251ed

SHA256
2df15d16e5b37de207c58f86770e82b1bbc21788c9560f34450acb48a9c5c208

SHA512
3e2f8cce4a9469cd94472ffa96217d6279cea2326c738460aa5d111b9b1036a728cccd47fab561d564b26a8187f4fd527cc1d16070eb6f9fb0e296cd4b3a24cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFF41.tmp\nsJSON.dll

Filesize
7KB

MD5
78b913fcd04259634a5e901c616e6074

SHA1
ad5e1c651851a1125bcad79b01ccdcfa45df4799

SHA256
e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59

SHA512
cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFF41.tmp\sign.dll

Filesize
32KB

MD5
d30b6c8d2f38e6abbb2f39bac0808bc0

SHA1
f1bca6416ae0f4c52e5b076381c72b18472954d8

SHA256
1f2b4549129c1b98c5674fe363a0267376dfd623323c5815216043dfa7fe1f2a

SHA512
3bf03d839ffa04c1d5eeb89a6405820ab2eea3548050e730255df7e84dfc729157c0d5c7eceeead5e8e1f4aa23777fe78a5582f0772c85bf0f793dd245a887e8

Download Submit
memory/380-60-0x0000000074AA0000-0x0000000074AB7000-memory.dmp

Filesize
92KB

Download
memory/380-102-0x00000000747F0000-0x0000000074859000-memory.dmp

Filesize
420KB

Download
memory/380-72-0x0000000074AA0000-0x0000000074AB7000-memory.dmp

Filesize
92KB

Download
memory/380-71-0x00000000747F0000-0x0000000074859000-memory.dmp

Filesize
420KB

Download
memory/380-77-0x0000000074AB0000-0x0000000074ABA000-memory.dmp

Filesize
40KB

Download
memory/380-3-0x0000000074A50000-0x0000000074AB9000-memory.dmp

Filesize
420KB

Download
memory/380-82-0x00000000747F0000-0x0000000074859000-memory.dmp

Filesize
420KB

Download
memory/380-54-0x0000000074A50000-0x0000000074AB9000-memory.dmp

Filesize
420KB

Download
memory/380-128-0x00000000747F0000-0x0000000074859000-memory.dmp

Filesize
420KB

Download
memory/380-137-0x00000000747F0000-0x0000000074859000-memory.dmp

Filesize
420KB

Download
memory/380-170-0x00000000747F0000-0x0000000074859000-memory.dmp

Filesize
420KB

Download
memory/380-182-0x00000000747F0000-0x0000000074859000-memory.dmp

Filesize
420KB

Download
memory/380-181-0x0000000074AA0000-0x0000000074AB7000-memory.dmp

Filesize
92KB

Download
memory/380-215-0x00000000747F0000-0x0000000074859000-memory.dmp

Filesize
420KB

Download
memory/380-222-0x0000000074AA0000-0x0000000074AA8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing