90263f5e0ceee73af6ee6ca4dac8e6441c1f5c39607512a954e42887a5a0bb3a

General

Target

342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
Size

18.1MB
MD5

342b6eafbc9f18889a492925a33a2cc5
SHA1

041fcba34d990603fd63074394c40243312a4dfe
SHA256

90263f5e0ceee73af6ee6ca4dac8e6441c1f5c39607512a954e42887a5a0bb3a
SHA512

d58819cad03fb0625129dd3a7fc3846ead1e028944b6516af8f3ca0261c2619ebda78be0a6f3d4cf87b03556fd10d5d49f695ce829997128d0eee115ebec4da7
SSDEEP

393216:Xm4I12ZQV+9llWqi0a2jVbHp5hAK0w5sXQr+xP9fPACdObQvnQ9ScGnCRByGz/O3:Xm4IcZMQWqzVbpb0IsXQ89npOE1crzm3

Score

7^/10

agilenet discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsd30B3.tmp\version.dll	acprotect
behavioral1/memory/1216-48-0x0000000001F80000-0x0000000001F92000-memory.dmp	acprotect
behavioral1/memory/1216-69-0x0000000001F80000-0x0000000001F92000-memory.dmp	acprotect

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
\Program Files\DriverAssist\DriverAssist.exe	agile_net

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1216-14-0x0000000001F80000-0x0000000001F92000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\nsd30B3.tmp\version.dll	upx
behavioral1/memory/1216-43-0x0000000001F80000-0x0000000001F92000-memory.dmp	upx
behavioral1/memory/1216-48-0x0000000001F80000-0x0000000001F92000-memory.dmp	upx
behavioral1/memory/1216-68-0x0000000001F80000-0x0000000001F92000-memory.dmp	upx
behavioral1/memory/1216-69-0x0000000001F80000-0x0000000001F92000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 31 IoCs

Processes:

342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\DriverAssist\7z\x64\7z.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\System.Data.SQLite.xml	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File opened for modification	C:\Program Files\DriverAssist\DriverAssist.URL	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Microsoft.Whos.Xml.NonXmlDataReader.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Microsoft.Whos.Shared.IO.Catalogs.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Microsoft.Whos.Winqual.Submissions.SubmissionBuilder.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Inf2Cat.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\icon.ico	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Microsoft.Whos.Shared.IO.Cabinets.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\WindowsProtectedFiles.xml	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\x64\7-zip.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\DriverAssist.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\DriverAssist.exe.config	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\lang.resx	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Microsoft.Whos.Shared.Xml.InfReader.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File opened for modification	C:\Program Files\DriverAssist\DriverAssist.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\configen.xml	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\x64\7z.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\SQLite.Interop.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\SQLite.Interop.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\NLog.config	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\System.Data.SQLite.xml	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\UninstallDriverAssist.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\uninst.bin	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\webicon.ico	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\7z.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\7-zip.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\System.Data.SQLite.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\7z.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\System.Data.SQLite.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\ui.chm	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe

Loads dropped DLL 7 IoCs

Processes:

342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe

pid	process
1216	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
1216	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
1216	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
1216	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
1216	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
1216	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
1216	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Program Files\DriverAssist\UninstallDriverAssist.exe	nsis_installer_1
\Program Files\DriverAssist\UninstallDriverAssist.exe	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe

pid process

1216 342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1216

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\DriverAssist\DriverAssist.exe
Filesize
14.8MB

MD5
ebcef1090df823de55e308798ca4f9e4

SHA1
1e0bffdb0c5aee1471c8f66693d8a63f76b9c7aa

SHA256
5b69cc2a91a971a494b420cdd8177a991bf2d160514ef9a435d0d4120b7115f5

SHA512
8ad5d31168dd8b820ce622ea4c67e66d08076b696e9e266eec59db6892fd30bb7172effa1af646dcdc4f591916576d73cdb30d61411983f27b7420fe487f9452

Download Submit
\Program Files\DriverAssist\UninstallDriverAssist.exe
Filesize
78KB

MD5
4c3b6c0593ac6c5c861bf28c48baaeb8

SHA1
9f053f54b8543651cd4e9635d076d3518f720496

SHA256
e9771340c500b30103ff264e3479ee505fe657e91b31e34a751519aa0409fc5a

SHA512
05a2c599e4dc0291d3356a8a15ec382a24df23fb222964d5814541516ebf8b0cdd112235ffbf17f23190237b64c87b53fd79c25ee8ba53a76a2f59b3e3eac9e8

Download Submit
\Users\Admin\AppData\Local\Temp\nsd30B3.tmp\System.dll
Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd30B3.tmp\UserInfo.dll
Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
\Users\Admin\AppData\Local\Temp\nsd30B3.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
memory/1216-14-0x0000000001F80000-0x0000000001F92000-memory.dmp

Filesize
72KB

Download
memory/1216-43-0x0000000001F80000-0x0000000001F92000-memory.dmp

Filesize
72KB

Download
memory/1216-48-0x0000000001F80000-0x0000000001F92000-memory.dmp

Filesize
72KB

Download
memory/1216-68-0x0000000001F80000-0x0000000001F92000-memory.dmp

Filesize
72KB

Download
memory/1216-69-0x0000000001F80000-0x0000000001F92000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads