0ca99da4150dfdc2d7b55ec1baf001320e4a074528a1e945809dd5dce397293d

General

Target

63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.exe
Size

2.2MB
MD5

63dddbf851109aabbaba99df0b4b3106
SHA1

2bd0e8db9ff4606eb5ee509b79d8fa5030425dfe
SHA256

0ca99da4150dfdc2d7b55ec1baf001320e4a074528a1e945809dd5dce397293d
SHA512

a9fea562d0a1db5642725ad524c54890457ee309bf05e00123f9554dd83cdae56b682425e3f076301252ee8d2f67e04a7f797045aa4bf377a60d3c1d3276b449
SSDEEP

49152:iY179h6CLZLA7bW8lz/ppLzc9PvAopoLi7ESWjsX0wf8HUNr233FW06qH65vocN:7179hD9AnWcz/ppL49PvAI0b5sX0WAQF

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

erxooehcnh.exeerxooehcnh.tmp

pid process

2524 erxooehcnh.exe
2528 erxooehcnh.tmp
Loads dropped DLL 6 IoCs

Processes:

cmd.exeerxooehcnh.exeerxooehcnh.tmp

pid process

2464 cmd.exe
2524 erxooehcnh.exe
2528 erxooehcnh.tmp
2528 erxooehcnh.tmp
2528 erxooehcnh.tmp
2528 erxooehcnh.tmp

pid	process
2524	erxooehcnh.exe
2528	erxooehcnh.tmp

pid	process
2464	cmd.exe
2524	erxooehcnh.exe
2528	erxooehcnh.tmp
2528	erxooehcnh.tmp
2528	erxooehcnh.tmp
2528	erxooehcnh.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2876-0-0x0000000000390000-0x000000000069A000-memory.dmp	upx
behavioral1/memory/2876-7-0x0000000000390000-0x000000000069A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

Processes:

erxooehcnh.tmp

description	ioc	process
File created	C:\Program Files (x86)\Xunjie\is-M8VRC.tmp	erxooehcnh.tmp
File created	C:\Program Files (x86)\Xunjie\is-DBTU9.tmp	erxooehcnh.tmp
File created	C:\Program Files (x86)\Xunjie\is-D7GHQ.tmp	erxooehcnh.tmp
File created	C:\Program Files (x86)\Xunjie\is-KR24Q.tmp	erxooehcnh.tmp
File created	C:\Program Files (x86)\Xunjie\is-4CBPQ.tmp	erxooehcnh.tmp
File created	C:\Program Files (x86)\Xunjie\is-KBD5P.tmp	erxooehcnh.tmp
File opened for modification	C:\Program Files (x86)\Xunjie\unins000.dat	erxooehcnh.tmp
File opened for modification	C:\Program Files (x86)\Xunjie\msvcrt40.dll	erxooehcnh.tmp
File opened for modification	C:\Program Files (x86)\Xunjie\msvidc32.dll	erxooehcnh.tmp
File opened for modification	C:\Program Files (x86)\Xunjie\xjhelper.exe	erxooehcnh.tmp
File created	C:\Program Files (x86)\Xunjie\unins000.dat	erxooehcnh.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.exeerxooehcnh.tmp

pid	process
2876	63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.exe
2876	63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.exe
2528	erxooehcnh.tmp
2528	erxooehcnh.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

erxooehcnh.tmp

pid process

2528 erxooehcnh.tmp

pid	process
2528	erxooehcnh.tmp

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.execmd.exeerxooehcnh.exe

description	pid	process	target process
PID 2876 wrote to memory of 2464	2876	63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 2464	2876	63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 2464	2876	63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.exe	cmd.exe
PID 2876 wrote to memory of 2464	2876	63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.exe	cmd.exe
PID 2464 wrote to memory of 2524	2464	cmd.exe	erxooehcnh.exe
PID 2464 wrote to memory of 2524	2464	cmd.exe	erxooehcnh.exe
PID 2464 wrote to memory of 2524	2464	cmd.exe	erxooehcnh.exe
PID 2464 wrote to memory of 2524	2464	cmd.exe	erxooehcnh.exe
PID 2464 wrote to memory of 2524	2464	cmd.exe	erxooehcnh.exe
PID 2464 wrote to memory of 2524	2464	cmd.exe	erxooehcnh.exe
PID 2464 wrote to memory of 2524	2464	cmd.exe	erxooehcnh.exe
PID 2524 wrote to memory of 2528	2524	erxooehcnh.exe	erxooehcnh.tmp
PID 2524 wrote to memory of 2528	2524	erxooehcnh.exe	erxooehcnh.tmp
PID 2524 wrote to memory of 2528	2524	erxooehcnh.exe	erxooehcnh.tmp
PID 2524 wrote to memory of 2528	2524	erxooehcnh.exe	erxooehcnh.tmp
PID 2524 wrote to memory of 2528	2524	erxooehcnh.exe	erxooehcnh.tmp
PID 2524 wrote to memory of 2528	2524	erxooehcnh.exe	erxooehcnh.tmp
PID 2524 wrote to memory of 2528	2524	erxooehcnh.exe	erxooehcnh.tmp

C:\Users\Admin\AppData\Local\Temp\63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63dddbf851109aabbaba99df0b4b3106_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\erxooehcnh.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\erxooehcnh.exe
    "C:\Users\Admin\AppData\Local\Temp\erxooehcnh.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\is-4C41T.tmp\erxooehcnh.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4C41T.tmp\erxooehcnh.tmp" /SL5="$8011A,799475,54272,C:\Users\Admin\AppData\Local\Temp\erxooehcnh.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\erxooehcnh.exe

Filesize
1.1MB

MD5
a1efbe65547fd9a8a533eb788eadf155

SHA1
8aa18ff2560f212e2e1f776673aa1c1c86a75bae

SHA256
7b9747384f7f5732e6fb3bc12c3f96bcab53ed8d066d064e465bf9f51bb88618

SHA512
5292b87e3f239a96499e74bfb301e6446773ea0390c9564e9781fd1afcd78a1c993f951e58908668fef1505749d2dd7ae3e695d003e7e3b10557e294a17433b7

Download Submit
\Program Files (x86)\Xunjie\unins000.exe

Filesize
907KB

MD5
8f7c7ec68a60ee2fcabed9a254810940

SHA1
7315a1e8c14c378556df955f7af0a8e3c54e7122

SHA256
b09787ae6f160882f286f9f4db00356f0e7a540f6ac436dfff9c0ab66b3a937d

SHA512
24040b3307b40a3a28c09938e2bf37dc9a8aca3a41aa9fbf2d9302444dd6a8d7615870ce9796d4104e891d0eb9ebb82e13152e522eb731d53cdb8cb04eb18b4d

Download Submit
\Program Files (x86)\Xunjie\xjhelper.exe

Filesize
2.0MB

MD5
7aac487695b38b88c9a4524e1bc46cd5

SHA1
1955dc3ae9e7c0c90d715da17c3eb1f10f6d1781

SHA256
fc925e1888a24e9be4c1c6bbce845be0d76a9746172b6b7024ed16061b8198ff

SHA512
4cece3a5cf90cbc6e34a39ea29a42c328c23b02efb05906cc8b7a080ab820a237e8f841b5c3b0b7f90753091166e24bcb4501f2ccccc2cc8a86c47452eeac2ae

Download Submit
\Users\Admin\AppData\Local\Temp\is-4C41T.tmp\erxooehcnh.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
\Users\Admin\AppData\Local\Temp\is-TPSOB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2524-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2524-13-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2524-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2528-51-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2876-0-0x0000000000390000-0x000000000069A000-memory.dmp

Filesize
3.0MB

Download
memory/2876-2-0x0000000010000000-0x00000000102E9000-memory.dmp

Filesize
2.9MB

Download
memory/2876-7-0x0000000000390000-0x000000000069A000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads