4895c64c3e19bbaab52c0c85da433989fc214cca6b3ebfcea6be24a4ee49bc94

General

Target

86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe
Size

77KB
MD5

86872b91a4d638626c23e65c49712f7b
SHA1

4096fc0cf8c709ba49af3cb463337e50599d989e
SHA256

4895c64c3e19bbaab52c0c85da433989fc214cca6b3ebfcea6be24a4ee49bc94
SHA512

6c187ee2cfad818bb007ef1d48b377455b0b90cce9816fb9ce4633f9ce3ca6affcd2b1fa7d5473efb16996ade7b2e0b2c75b0024e683c10f3ca7724cf0be32ed
SSDEEP

1536:qXbJ34nfAggjnMN42IfAQhhKd4HX4iM6O:UblieMLeLh8W+F

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2312-6-0x0000000000400000-0x0000000002B10000-memory.dmp	upx
behavioral1/memory/2312-5-0x0000000000400000-0x0000000002B10000-memory.dmp	upx
behavioral1/memory/2312-14-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2312-10-0x0000000000400000-0x0000000002B10000-memory.dmp	upx
behavioral1/memory/2312-11-0x0000000000400000-0x0000000002B10000-memory.dmp	upx
behavioral1/memory/2312-12-0x0000000000400000-0x0000000002B10000-memory.dmp	upx
behavioral1/memory/2312-13-0x0000000000400000-0x0000000002B10000-memory.dmp	upx
behavioral1/memory/2312-15-0x0000000000400000-0x0000000002B10000-memory.dmp	upx
behavioral1/memory/2312-16-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2312-18-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2312-20-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2312-22-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2312-24-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2312-27-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2312-29-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1160 set thread context of 2312	1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe
2312	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe
2312	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe
2312	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe
2312	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe
2312	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe
2312	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe
1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2312	1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe	28
PID 1160 wrote to memory of 2312	1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe	28
PID 1160 wrote to memory of 2312	1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe	28
PID 1160 wrote to memory of 2312	1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe	28
PID 1160 wrote to memory of 2312	1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe	28
PID 1160 wrote to memory of 2312	1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe	28
PID 1160 wrote to memory of 2312	1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe	28
PID 1160 wrote to memory of 2312	1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe	28
PID 1160 wrote to memory of 2312	1160	86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\86872b91a4d638626c23e65c49712f7b_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-3-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/2312-12-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/2312-15-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/2312-2-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/2312-5-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/2312-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2312-10-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/2312-11-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/2312-0-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/2312-6-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/2312-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2312-13-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/2312-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2312-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2312-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2312-22-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2312-24-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2312-27-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2312-29-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing