145c8b3c1136b59bdd49072e1d716c457b44e8520db2da06b67bbc445bac422f

General

Target

0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe
Size

577KB
MD5

0db6406ccab2bf91f732f2684c2b348a
SHA1

864a5a1546adf83cd0edf5c305f0ef11b82bd739
SHA256

145c8b3c1136b59bdd49072e1d716c457b44e8520db2da06b67bbc445bac422f
SHA512

c944bfccae90fd025226dd9369e5601c5c823c3a0d01789d5dd3bd4fb95a94df43ea43bf6c9562714a4e6c6c924a1325d22512c1120df800d149a21d95ebc944
SSDEEP

12288:YhY2rHQ6/1a8105bUlZOy4D2pSa/j76YydzyzSTqqrqqeqqEC:eQua81AUGy4u/X6YniqSq/qE

Score

9^/10

evasion upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3368-0-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral2/memory/3368-14-0x0000000000400000-0x00000000004F5000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3368 set thread context of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80

Program crash 1 IoCs

pid	pid_target	Process
1948	4640	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4640	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe
4640	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80
PID 3368 wrote to memory of 4640	3368	0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe	80

C:\Users\Admin\AppData\Local\Temp\0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0db6406ccab2bf91f732f2684c2b348a_JaffaCakes118.exe
  2⤵
  - Enumerates VirtualBox registry keys
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 516
    3⤵
    - Program crash
    PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4640 -ip 4640
1⤵
PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

Software Discovery

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3368-14-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3368-0-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/4640-9-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-12-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-10-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-1-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-8-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-6-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-5-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-4-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-3-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-7-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-2-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4640-16-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads