27e836a494a3d63fbbc24f75ed4854f07bb3458641ba4062eb6dbf57b99a98eb

General

Target

071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
Size

772KB
MD5

071c23ae75e84b754dcd5b6e22056d28
SHA1

ee3579b279cd3b6f5f555188e70c9fb459b4a958
SHA256

27e836a494a3d63fbbc24f75ed4854f07bb3458641ba4062eb6dbf57b99a98eb
SHA512

0e020fd7440646e5ec5ce738fe54dcf4c15427181b98e18a1e603b4f5099201286fba264d8a3de566661a7f54be50a2b958db9cd5f3d207d1ac0c598679cbf95
SSDEEP

24576:eCxkZmvVi0FRAHgbGQjwZegfrxQU3SjZ6GPrb:eCx7V3FO9tOCSjZ6UX

Score

7^/10

upx

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aerff.exe	msmh.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aerff.exe	msmh.exe

Executes dropped EXE 4 IoCs

pid	Process
3064	msmh.exe
3068	msmh.exe
1720	emailextractor.exe
2744	INS2868.tmp

Loads dropped DLL 10 IoCs

pid	Process
2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
3064	msmh.exe
2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
1720	emailextractor.exe
1720	emailextractor.exe
1720	emailextractor.exe
1720	emailextractor.exe
1720	emailextractor.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000014284-3.dat	upx
behavioral1/memory/2944-5-0x0000000077CA0000-0x0000000077CCB000-memory.dmp	upx
behavioral1/memory/3064-16-0x0000000077CA0000-0x0000000077CCB000-memory.dmp	upx
behavioral1/memory/3064-33-0x0000000077CA0000-0x0000000077CCB000-memory.dmp	upx
behavioral1/memory/3068-38-0x0000000077CA0000-0x0000000077CCB000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gbd5.tst	msmh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3064	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3064	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3064	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3064	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	28
PID 3064 wrote to memory of 3068	3064	msmh.exe	29
PID 3064 wrote to memory of 3068	3064	msmh.exe	29
PID 3064 wrote to memory of 3068	3064	msmh.exe	29
PID 3064 wrote to memory of 3068	3064	msmh.exe	29
PID 2944 wrote to memory of 1720	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	30
PID 2944 wrote to memory of 1720	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	30
PID 2944 wrote to memory of 1720	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	30
PID 2944 wrote to memory of 1720	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	30
PID 2944 wrote to memory of 1720	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	30
PID 2944 wrote to memory of 1720	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	30
PID 2944 wrote to memory of 1720	2944	071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2632	3068	msmh.exe	31
PID 3068 wrote to memory of 2632	3068	msmh.exe	31
PID 3068 wrote to memory of 2632	3068	msmh.exe	31
PID 3068 wrote to memory of 2632	3068	msmh.exe	31
PID 1720 wrote to memory of 2744	1720	emailextractor.exe	33
PID 1720 wrote to memory of 2744	1720	emailextractor.exe	33
PID 1720 wrote to memory of 2744	1720	emailextractor.exe	33
PID 1720 wrote to memory of 2744	1720	emailextractor.exe	33
PID 1720 wrote to memory of 2744	1720	emailextractor.exe	33
PID 1720 wrote to memory of 2744	1720	emailextractor.exe	33
PID 1720 wrote to memory of 2744	1720	emailextractor.exe	33

C:\Users\Admin\AppData\Local\Temp\071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\msmh.exe
  "C:\Users\Admin\AppData\Local\Temp\msmh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\msmh.exe
    C:\Users\Admin\AppData\Local\Temp\msmh.exe b
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\msmh.exe"
      4⤵
      PID:2632
- C:\Users\Admin\AppData\Local\Temp\emailextractor.exe
  "C:\Users\Admin\AppData\Local\Temp\emailextractor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\INS2868.tmp
    C:\Users\Admin\AppData\Local\Temp\INS2868.tmp /SL2 C:\Users\Admin\AppData\Local\Temp\emailextractor.exe 695216 698160 59904
    3⤵
    - Executes dropped EXE
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\emailextractor.exe

Filesize
686KB

MD5
4b1d8cc66e1242f635630004b24485b5

SHA1
63983c61258d46f04c41eb50d9b033127df9eb29

SHA256
13159e26ef2c6c3ff1ed05bdd9c9fbfd7f22eb9dc4ee0c5c187b4769468355c0

SHA512
d24a7727fec154832230c549cd2eaddada3961eb86718b3870591d6bc2d26c8f687132f715065e0f793221999484e571b5e0d3b27937a6f1918a6775cf23fb02

Download Submit
\Users\Admin\AppData\Local\Temp\INS2868.tmp

Filesize
309KB

MD5
428e857334568f7c6b3d81470eafa938

SHA1
e255c1c5c9386cca77ffc19a32485777e63c1757

SHA256
995a9d2fb234c2832f21bebd28bbf02f7400d46e188433ab105d2963b5fdd3d7

SHA512
58c9f45eee12060f33500aabaeb919784445322bb7fbfce4909de035932fc4afde6f9506cc6154eb4362d022dde24af66368aab18297759bdb0077e5b2b47db0

Download Submit
\Users\Admin\AppData\Local\Temp\msmh.exe

Filesize
73KB

MD5
5290ea3a0b7371d6efcaf605111f5325

SHA1
89c1876e9d515c6be25e1dc80b5a577c883e3459

SHA256
d0009dbcb51202b589b359903f1181c2ca00f5d475dfc7e8af69904cc09360b3

SHA512
8d3a839ee106c4ac786a373b27e97665b180c75ff3bd5f3372f4f2fc0ad49b0a8b50d806a36d402282b4b523992fc6b9cb1eefea6fc24ac0b5d090286b0320d1

Download Submit
memory/1720-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2744-49-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2944-14-0x0000000077CA0000-0x0000000077CCB000-memory.dmp

Filesize
172KB

Download
memory/2944-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2944-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2944-5-0x0000000077CA0000-0x0000000077CCB000-memory.dmp

Filesize
172KB

Download
memory/3064-16-0x0000000077CA0000-0x0000000077CCB000-memory.dmp

Filesize
172KB

Download
memory/3064-33-0x0000000077CA0000-0x0000000077CCB000-memory.dmp

Filesize
172KB

Download
memory/3064-18-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/3068-38-0x0000000077CA0000-0x0000000077CCB000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing