349b4d6a8fb644e753ed24b75733b0ff3ce684a92f8c0b4bcefddda92e9e4851

General

Target

8d2137ba1605488314d333929110816b_JaffaCakes118.exe
Size

709KB
MD5

8d2137ba1605488314d333929110816b
SHA1

02197154dd71fa3e7dd773a69cef255010704453
SHA256

349b4d6a8fb644e753ed24b75733b0ff3ce684a92f8c0b4bcefddda92e9e4851
SHA512

7ffc710fd9883524b4ef0cc4ee9721a0342846295f209a222b171d67bf55803ef5d230648d2fcc19103ddc94b6935a6956fe3699b4ff3b4bbffeba8c65aa237d
SSDEEP

12288:b/q3d+RzuRjopCvirUDePp1ahlSUQb/wolwPoc1HvAQ7gAEXG9V:b/Md+RUocvirUD8nafQPkocpqA

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x003b000000014bca-46.dat	acprotect

Loads dropped DLL 15 IoCs

pid	Process
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x003b000000014bca-46.dat	upx
behavioral1/memory/3052-51-0x0000000073E60000-0x0000000073E6A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3052	8d2137ba1605488314d333929110816b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\8d2137ba1605488314d333929110816b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d2137ba1605488314d333929110816b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy117F.tmp\PopWnd.dll

Filesize
4KB

MD5
f3d5fe8b0434e38b179546a8d32967e1

SHA1
221bf35c3596e78cede2c4421ff61792f66e3914

SHA256
53be818ad34482490f8f1f89a7586fd2f6185e753672e000a6ba92bb6b08b234

SHA512
35661fc31895e9c4359fc43f60a56fd5ebc5ea65f2dee97c9b34fe6479feab327772d7e12389ac00ffd2b5aa825ab760cd599ae4be31146e02b155a339d6c308

Download Submit
\Users\Admin\AppData\Local\Temp\nsy117F.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
\Users\Admin\AppData\Local\Temp\nsy117F.tmp\inetc.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
\Users\Admin\AppData\Local\Temp\nsy117F.tmp\lxdl.dll

Filesize
128KB

MD5
3fef0e85cde495b7bd3feca92681d086

SHA1
84e719e5373ec710b9eb4a5e59d73a50dfee8db1

SHA256
aef81a6cbe45bceeb99691e5e1dc17555010174a6063f301c9ca753d7d53acf7

SHA512
6dce6fc460d95fe2adf5f618fee66157ab7133f98af910a989f046b9bb90c8d9ca2448ea42bf2e468459c025ea3770100cca4d5cb7b245710c2d3a155034955d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy117F.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
\Users\Admin\AppData\Local\Temp\nsy117F.tmp\socket2.dll

Filesize
34KB

MD5
92f5baee9f23ed13f7909406353cfa31

SHA1
2c58e32d3d1396237bfa27fb7d09ad735144d659

SHA256
beed26f6b67a79720592cfb19d58ce4fa70d5b448e21d4c029555d2c7ca9212c

SHA512
06a6b96f0093dd8d6cc6523ac39c791ffb2568174ca808bf9ea4bdbed56963e7cbc54ef5c39cf895cc5230145f60280c88aa4802447f3a314e98ed1f480e99a3

Download Submit
memory/3052-18-0x0000000002C33000-0x0000000002C34000-memory.dmp

Filesize
4KB

Download
memory/3052-20-0x0000000002C60000-0x0000000002C69000-memory.dmp

Filesize
36KB

Download
memory/3052-51-0x0000000073E60000-0x0000000073E6A000-memory.dmp

Filesize
40KB

Download
memory/3052-82-0x0000000002C33000-0x0000000002C34000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing