5cd900d44658b1ab9444f6f7331f44220192f8f1e9bcdd2e16fa74c340f89a00

General

Target

686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
Size

3.3MB
MD5

686da91dfd575cc325685db58538bcc2
SHA1

f5989ae8b3c178a8047994858054c63cebf1f3b6
SHA256

5cd900d44658b1ab9444f6f7331f44220192f8f1e9bcdd2e16fa74c340f89a00
SHA512

b3abaacdb501756a403b9843cae140dec96a98ebdf25bc92cbe709492311c3e75d6e8200a75b87c736c44f609398db00449b568e8b3d98d07adefa257a975bc1
SSDEEP

98304:tq3EoG9eb2cuidK6XvwLOEUwo09YbiW1j/rtm:U3EoG9equ5I927b71r4

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1640-0-0x0000000000F00000-0x000000000179E000-memory.dmp	upx
behavioral1/memory/616-26-0x0000000000F00000-0x000000000179E000-memory.dmp	upx
behavioral1/memory/1640-25-0x0000000000F00000-0x000000000179E000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

description	pid	process	target process
PID 1640 set thread context of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

pid process

616 686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
616 686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

pid	process
616	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
616	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
616	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
616	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

description	pid	process	target process
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
PID 1640 wrote to memory of 616	1640	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe	686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\686da91dfd575cc325685db58538bcc2_JaffaCakes118.exe"
2⤵
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-28-0x0000000004370000-0x0000000004C0E000-memory.dmp

Filesize
8.6MB

Download
memory/616-21-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-6-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-20-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-4-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-26-0x0000000000F00000-0x000000000179E000-memory.dmp

Filesize
8.6MB

Download
memory/616-35-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

Filesize
64KB

Download
memory/616-3-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-34-0x0000000004370000-0x0000000004C0E000-memory.dmp

Filesize
8.6MB

Download
memory/616-16-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-10-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-8-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-2-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-33-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/616-23-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/616-14-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-27-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/616-32-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/616-30-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

Filesize
64KB

Download
memory/616-31-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/1640-0-0x0000000000F00000-0x000000000179E000-memory.dmp

Filesize
8.6MB

Download
memory/1640-1-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1640-22-0x0000000003A80000-0x000000000431E000-memory.dmp

Filesize
8.6MB

Download
memory/1640-25-0x0000000000F00000-0x000000000179E000-memory.dmp

Filesize
8.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads