90263f5e0ceee73af6ee6ca4dac8e6441c1f5c39607512a954e42887a5a0bb3a

General

Target

342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
Size

18.1MB
MD5

342b6eafbc9f18889a492925a33a2cc5
SHA1

041fcba34d990603fd63074394c40243312a4dfe
SHA256

90263f5e0ceee73af6ee6ca4dac8e6441c1f5c39607512a954e42887a5a0bb3a
SHA512

d58819cad03fb0625129dd3a7fc3846ead1e028944b6516af8f3ca0261c2619ebda78be0a6f3d4cf87b03556fd10d5d49f695ce829997128d0eee115ebec4da7
SSDEEP

393216:Xm4I12ZQV+9llWqi0a2jVbHp5hAK0w5sXQr+xP9fPACdObQvnQ9ScGnCRByGz/O3:Xm4IcZMQWqzVbpb0IsXQ89npOE1crzm3

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsyF474.tmp\version.dll	acprotect
behavioral2/memory/4020-59-0x0000000006820000-0x0000000006832000-memory.dmp	acprotect

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4020-19-0x0000000008870000-0x0000000008882000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\nsyF474.tmp\version.dll	upx
behavioral2/memory/4020-59-0x0000000006820000-0x0000000006832000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 31 IoCs

Processes:

342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\DriverAssist\DriverAssist.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\webicon.ico	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Microsoft.Whos.Shared.IO.Cabinets.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\7z.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File opened for modification	C:\Program Files\DriverAssist\DriverAssist.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Microsoft.Whos.Winqual.Submissions.SubmissionBuilder.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\7-zip.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\lang.resx	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\SQLite.Interop.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\System.Data.SQLite.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File opened for modification	C:\Program Files\DriverAssist\DriverAssist.URL	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\configen.xml	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\System.Data.SQLite.xml	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\uninst.bin	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\DriverAssist.exe.config	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\icon.ico	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Inf2Cat.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Microsoft.Whos.Shared.Xml.InfReader.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\x64\7z.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\NLog.config	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\ui.chm	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\WindowsProtectedFiles.xml	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\System.Data.SQLite.xml	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Microsoft.Whos.Shared.IO.Catalogs.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\x64\7z.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\x64\7-zip.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\Microsoft.Whos.Xml.NonXmlDataReader.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\7z\7z.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\Extra\SQLite.Interop.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\System.Data.SQLite.dll	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
File created	C:\Program Files\DriverAssist\UninstallDriverAssist.exe	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe

Loads dropped DLL 9 IoCs

Processes:

342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe

pid	process
4020	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
4020	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
4020	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
4020	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
4020	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
4020	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
4020	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
4020	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
4020	342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\342b6eafbc9f18889a492925a33a2cc5_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:8
1⤵
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyF474.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyF474.tmp\UserInfo.dll

Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyF474.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
memory/4020-59-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download
memory/4020-19-0x0000000008870000-0x0000000008882000-memory.dmp

Filesize
72KB

Download
memory/4020-56-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download
memory/4020-20-0x0000000008870000-0x0000000008882000-memory.dmp

Filesize
72KB

Download
memory/4020-58-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download
memory/4020-57-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download
memory/4020-78-0x0000000008870000-0x0000000008882000-memory.dmp

Filesize
72KB

Download
memory/4020-77-0x0000000008870000-0x0000000008882000-memory.dmp

Filesize
72KB

Download
memory/4020-79-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download
memory/4020-82-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download
memory/4020-81-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download
memory/4020-80-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads