28a57ca1951af169f7c0cdc02d9740612bc265a6cd6c59e6ef3aeeef2cf51b5f

General

Target

a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe
Size

229KB
MD5

a0dda89aae2ae544e2397275b1cacf79
SHA1

85f81c45269b8d599b75e1354caa3f4000d9531b
SHA256

28a57ca1951af169f7c0cdc02d9740612bc265a6cd6c59e6ef3aeeef2cf51b5f
SHA512

e6b864a17a39afe03f1489fba6a3c7baafafdd303717b06c39ae11651ad5407032d2db373cc3056afa9cc69202b577299e32a6e513de7d2a8839e2531f791393
SSDEEP

6144:qn/L+2uWlxdFMatkIV13AhV+Wdgjq8mMz:UVuW3zM+oXjsWMz

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe
1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe
1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-30-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2868-26-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2868-24-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2868-34-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2868-36-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2868-39-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2868-38-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1176 set thread context of 2868	1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	28

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	2868	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2868	1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	28
PID 1176 wrote to memory of 2868	1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	28
PID 1176 wrote to memory of 2868	1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	28
PID 1176 wrote to memory of 2868	1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	28
PID 1176 wrote to memory of 2868	1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	28
PID 1176 wrote to memory of 2868	1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	28
PID 1176 wrote to memory of 2868	1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	28
PID 1176 wrote to memory of 2868	1176	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2708	2868	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2708	2868	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2708	2868	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2708	2868	a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a0dda89aae2ae544e2397275b1cacf79_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 164
    3⤵
    - Program crash
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi4625.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Roaming\Services.dll

Filesize
11KB

MD5
68beaa20b3dad361f0a162c8adc3aaea

SHA1
ce7e26689a965b248605c4524b95df66294cf54c

SHA256
0a6f9186a30fc76a7b9947af695d692b12a989ef606a6884e9319c263a435951

SHA512
4f9109e4b9141d713e5a18de970ede003aa653bbf1bd8f1d30e2f31b383546415fc0a4c9f1df964bebfa3a6454ccc4bbccc1150167adcee24044d8971c5d0061

Download Submit
memory/1176-31-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2868-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing