9ab58c08a559a5b8d3a4a4b180e72bd08eb881246dd4d151bfd6ce0ae42fb533

General

Target

43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
Size

795KB
MD5

43e7a60f724785224a0a6d9eec3ebd06
SHA1

db2842a24c4a10065f808cec5a84a3faa6d05686
SHA256

9ab58c08a559a5b8d3a4a4b180e72bd08eb881246dd4d151bfd6ce0ae42fb533
SHA512

7409dcb648e24e13b202ce1ce15290de44708ed42d89fc51539a037c2301357fcb3aab92fb932c795ba860fdee2a593f39f2b4349832953c35195d13412936fb
SSDEEP

12288:8YV6MorX7qzuC3QHO9FQVHPF51jgcdomfb9fFAy/C49elVD6Ra4UtGI/3NFtLM:bBXu9HGaVH9NAKXe7k4th2

Score

7^/10

upx

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WerFault.url	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1684-0-0x0000000000840000-0x00000000009F9000-memory.dmp	upx
behavioral1/memory/1684-11-0x0000000000840000-0x00000000009F9000-memory.dmp	upx
behavioral1/memory/2884-7-0x0000000000840000-0x00000000009F9000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1684-11-0x0000000000840000-0x00000000009F9000-memory.dmp	autoit_exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe

pid	process
1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe

pid	process
1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe"
2⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe"
2⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe"
2⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe"
2⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe"
2⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe"
2⤵
PID:2576

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-0-0x0000000000840000-0x00000000009F9000-memory.dmp

Filesize
1.7MB

Download
memory/1684-6-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1684-8-0x0000000003320000-0x00000000034D9000-memory.dmp

Filesize
1.7MB

Download
memory/1684-9-0x0000000003320000-0x00000000034D9000-memory.dmp

Filesize
1.7MB

Download
memory/1684-11-0x0000000000840000-0x00000000009F9000-memory.dmp

Filesize
1.7MB

Download
memory/2884-7-0x0000000000840000-0x00000000009F9000-memory.dmp

Filesize
1.7MB

Download

description	pid	process	target process
PID 1684 wrote to memory of 2884	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2884	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2884	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2884	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2912	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2912	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2912	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2912	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2928	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2928	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2928	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2928	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2312	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2312	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2312	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2312	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2276	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2276	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2276	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2276	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2576	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2576	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2576	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe
PID 1684 wrote to memory of 2576	1684	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe	43e7a60f724785224a0a6d9eec3ebd06_JaffaCakes118.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads