2166788e0a2f3412f12198715add364848d4f5456850df7773832f4d535b5f44

General

Target

41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe
Size

1.2MB
MD5

41f04683bffe1af356cfc50864178a03
SHA1

ff8fb1ecc68e92c01d4646cc46e77c1e9073fbf2
SHA256

2166788e0a2f3412f12198715add364848d4f5456850df7773832f4d535b5f44
SHA512

4c8e48961bcc1e3b6de35ea31788a158ef23a5ff5f7d8a6fb585f0b1802e80b59ba4cb8dd684fe94c441da6c72c67ae11bcd8f27464e94399506f8daa66740e6
SSDEEP

24576:VuEBM1w64dXlNDUfnf+Lex9RtbHLRhZ6oh5LuargN9pi3rcmSvK9ewPhELSIc1Y:4b1GTNDUfnf+LexLtbV3hnq/vK9ew2Lv

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\CdaC15BA.SYS	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\CdaC15BA.SYS	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000015c3d-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2348	~e5d141.tmp

Loads dropped DLL 8 IoCs

pid	Process
2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe
2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe
2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe
2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe
2348	~e5d141.tmp
2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe
2348	~e5d141.tmp
2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2348	2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2348	2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2348	2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2348	2232	41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41f04683bffe1af356cfc50864178a03_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\~e5d141.tmp
  "C:\Users\Admin\AppData\Local\Temp\~e5d141.tmp" 2232 "C:\Users\Admin\AppData\Local\Temp\""~ef1056"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~ef1056\CdaC15BA.SYS

Filesize
12KB

MD5
08f60f40d1a2a95a1f12eddbd9f25c1c

SHA1
4fd9a75e29fa24d1931e544318fea08e039d182f

SHA256
fe3f2784adc5a3d33231de0350c0333b7bf1f273b42d115f6a4e94c94a1d4a9f

SHA512
ce249f720a57b8ba44af93bd1c7799383d21f73f7bfce75d833dcc979fc0621dc3e9292561a4fe224ee6ce6cc63fac8d752bd5ab452d2eabded85e5f24a47bec

Download Submit
\Users\Admin\AppData\Local\Temp\fbl1036.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
\Users\Admin\AppData\Local\Temp\~e5d141.tmp

Filesize
45KB

MD5
a19804b45575151100c3de28ddeba2fe

SHA1
3d2b69415976f233630a0eb55f7fcd0927851030

SHA256
473be30d52f15d0f7138e28dd8fdc774cfcba3d611b651d2e186f21657b55ac6

SHA512
71b565870aaf162b84e5d9baf336589c98084c1017f52bb067b6e8448e2709fffe1c68b8585729ee2f51418b47a42a4d652ceb05dfe4ed1bf54783c5f7efa75c

Download Submit
\Users\Admin\AppData\Local\Temp\~ef1056\DrvMgt.dll

Filesize
40KB

MD5
87ba4f137740ce0b157c91e116d7b567

SHA1
ba6021d34868dc25429de7711da55c2650994e5c

SHA256
a77dbece5de4039dcb05b73c559118a550ac8fd3916cda85a23844269eb7972c

SHA512
f2c11bcbcdc9cd3e0313a9a7b4f16b515a1155d5a2209a1b7337bd1078adb845dcf97f25d0665e868ce63b9e06ec7a94486a40a8796e0b4b958d8adc6f19bfae

Download Submit
\Users\Admin\AppData\Local\Temp\~ef1056\~de9deb.tmp

Filesize
484KB

MD5
be9a8fe0b98a62e265731d966eb9ad94

SHA1
a0b696d529d50d4d36f7cdf8596f7f441fe95302

SHA256
e04a8194bcd57a5f8a13fa9e212471cf43ba7e8cd9493fe6f290268999af32de

SHA512
4f575300f3feb54382101263f3749e7153be93468c9fec8e9ade47b0d21fa33477d49a32909d75bd733afc195d5f1a8a18a91e25547dea8f150a339e9163afd5

Download Submit
\Users\Admin\AppData\Local\Temp\~ef1056\~df394b.tmp

Filesize
439KB

MD5
70d05feb35eeab50b06c3514f88518e8

SHA1
338eaa8d638553d315887936dfeb5b46aa11279a

SHA256
252c46fdb34ce03e10436a25b6b179f146258d30aa2768b24226a418db1960e3

SHA512
ddb8dc0cdcdf5d5acda88142710e90c46d9a2db3547c0b274e9075afadbad4b722899650952b0102abc85c841a0fb2996da98abc8ed461e78023871c2b21e71f

Download Submit
memory/2232-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-22-0x00000000002F0000-0x00000000002FD000-memory.dmp

Filesize
52KB

Download
memory/2232-32-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2232-37-0x0000000000250000-0x00000000002C3000-memory.dmp

Filesize
460KB

Download
memory/2232-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-4-0x0000000000250000-0x00000000002C3000-memory.dmp

Filesize
460KB

Download
memory/2348-18-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing