3b89e70d02ac32af502cd55b0ca6e2b7d80dc26ea8f8ac50ea7f9a6735a31c37

General

Target

6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe
Size

886KB
MD5

6856c855c6f137111821f0ac06067d65
SHA1

0526270418be4ca6bef0f737865fac1b684907e0
SHA256

3b89e70d02ac32af502cd55b0ca6e2b7d80dc26ea8f8ac50ea7f9a6735a31c37
SHA512

4d89e4fef39cee7c71d07c9144f52d2c1bb4c37714a16bc888e4e6d8631c19883e7c85b6f10a0e7785098d9aada3d21297ac2c5753fa401e8a319087e1284b2b
SSDEEP

12288:YSxGxT888888888888W88888888888Lyrr2KIFGXZTXXDOIrwBouXS2puAE3ooFV:nxGLy5ZTjOmwBouX+zYoMNBXo4c

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp

Loads dropped DLL 8 IoCs

pid	Process
3044	6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1936	6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1936	3044	6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe	28
PID 3044 wrote to memory of 1936	3044	6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe	28
PID 3044 wrote to memory of 1936	3044	6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe	28
PID 3044 wrote to memory of 1936	3044	6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe	28
PID 3044 wrote to memory of 1936	3044	6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe	28
PID 3044 wrote to memory of 1936	3044	6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe	28
PID 3044 wrote to memory of 1936	3044	6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\is-9I341.tmp\6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9I341.tmp\6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp" /SL5="$5014E,505353,128512,C:\Users\Admin\AppData\Local\Temp\6856c855c6f137111821f0ac06067d65_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-70U40.tmp\ConnectUtils.dll

Filesize
90KB

MD5
546f248f2cc3fc1b324d6c7129ff8662

SHA1
f782e87c4bb24e8f4bfcf5174b9131821c71d668

SHA256
31508d700cc570c172b6cc7d92da2083ce3a4568bbff979967f1e72da3493c94

SHA512
9dac51b5bb0069a1977b30444fa96f5ee60290900c5d84b4b6b71ff6c981436088dff46a459b4696bb52986855794250e750078ffbe93f8f8361e4fed315aba3

Download Submit
\Users\Admin\AppData\Local\Temp\is-70U40.tmp\LookInto.dll

Filesize
177KB

MD5
6f06ad3a769cf24bba0485f28e2d3252

SHA1
ddca263697f494b96f229e80dff4ccadfef7a650

SHA256
5590110e543a9f89b02c037ad539a142b10ecf0f3950bfc0df634cb6e8254678

SHA512
c09df10f103b3e03c1d5b569b45de05015f8028d6477ec2a50f7969090bce9d06b25d6e738c13db2566a073bee0746a2b1511cc7257bdf8cfe43dc8d0bccc3f8

Download Submit
\Users\Admin\AppData\Local\Temp\is-70U40.tmp\SyncDownCB.dll

Filesize
351KB

MD5
2e109c4abc9749f0c190be782bc4d1f0

SHA1
2bbaeef3774473c048c420e3e27407e1e5d26d06

SHA256
a1f9592a58b4d1405c5716f5a5a2775aed5c404f4568c6990d1b1a918b1c50b2

SHA512
661802655f1d3eeec18f59e57715e01887ef4fe843c2d6cda1152cc35eb96b7d977b5da69538e1ce9ad03db538f30e52435009b1f4b8ea4b993d98ea4a13d632

Download Submit
\Users\Admin\AppData\Local\Temp\is-70U40.tmp\VanillaFrames.dll

Filesize
549KB

MD5
8e1b59d37115d13a07e21c37dc5ef7dc

SHA1
2fd11351dff42fb18a9de7a436fbb52702c7f4d9

SHA256
61306d19ec47e11dd3c810e2527d202a936c43e5081e89ea4de420df17f33566

SHA512
42f158a61e74f88994208d2af5f9768e37273560e1457543c4b741968bb4ced91d82cde24aa71624309213022604ffe92fe588cc149c98de691a499d3017dcf7

Download Submit
\Users\Admin\AppData\Local\Temp\is-70U40.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-70U40.tmp\execctrl.dll

Filesize
10KB

MD5
9c497a6cfb4035ae006619919e23e45c

SHA1
d2b1534ce30a90ee962976b8921bea6eb80846e7

SHA256
20646bf003ca8d986737e66ef6200154af7376a69d908777f5c9c37a513c0d8a

SHA512
e92f58ae4c4cf81ec49e1386841be2b74f00da51cc282345dd4af1c430956b9eda3ad3a60d642eea448eff69a0fa7775bf99363efc31fcb09fe411c5dae972e5

Download Submit
\Users\Admin\AppData\Local\Temp\is-9I341.tmp\6856c855c6f137111821f0ac06067d65_JaffaCakes118.tmp

Filesize
1.1MB

MD5
efd5751d802ed28ff7c4bd7818a62b74

SHA1
0e43fdc39a58cf2545510cf624c9724774e2720b

SHA256
0a9aef747d1abc56acd0a58c5efa2e976a57ac4b6d8ff8144acfd477a14b1557

SHA512
3c9b8ea55a5b82b3aa09308fe9839216015fd7296fe6befbd510fe2508c47024cff5c74099736c69c2bff54c53b2630edf8b52df738a35c564c190af3594d4ce

Download Submit
memory/1936-28-0x0000000005470000-0x00000000054D1000-memory.dmp

Filesize
388KB

Download
memory/1936-38-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1936-8-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1936-84-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1936-24-0x0000000001FA0000-0x0000000001FC0000-memory.dmp

Filesize
128KB

Download
memory/1936-32-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/1936-34-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1936-39-0x0000000001FA0000-0x0000000001FC0000-memory.dmp

Filesize
128KB

Download
memory/1936-40-0x0000000005470000-0x00000000054D1000-memory.dmp

Filesize
388KB

Download
memory/1936-41-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/3044-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3044-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3044-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3044-86-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing