9b1adeb3426adffb30e74cc877c20d29fba2e35515943bec62dafecf2b955736

General

Target

1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe
Size

2.9MB
MD5

1a7df6ead561967345bd81bc38aa36f1
SHA1

d1bf6ae452f5bd9bf04160d18f93506bd3fa4c7c
SHA256

9b1adeb3426adffb30e74cc877c20d29fba2e35515943bec62dafecf2b955736
SHA512

b4cb884de6c47577f84997eb9c21a64ac93b30c1534c88bdd71d2c1b36742322c4d6e7209b2ea8b867466dc024a79d54a362c9140d5b49dcf64f67bc56a677ab
SSDEEP

49152:blkJR0kxNrpU408hG2oKzbqO0Bz99UxEX8V72aExG4bNsWkn50a86tFX80oIKMxh:BkDtVF083mp59UxEsoxZqn50a86tFXQ4

Score

7^/10

aspackv2 themida

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000014721-32.dat	aspack_v212_v242

Executes dropped EXE 6 IoCs

pid	Process
3004	TMP0021.exe
2132	TMP1001.tmp
2668	TMP9110.TMP
2804	TMP9660.TMP
2208	NETCONFIG.EXE
2576	NETCMD.EXE

Loads dropped DLL 10 IoCs

pid	Process
2968	1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe
2968	1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe
3004	TMP0021.exe
3004	TMP0021.exe
2132	TMP1001.tmp
2132	TMP1001.tmp
2132	TMP1001.tmp
2132	TMP1001.tmp
2208	NETCONFIG.EXE
2208	NETCONFIG.EXE

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000014721-32.dat	themida
behavioral1/memory/2668-33-0x0000000000400000-0x0000000000801000-memory.dmp	themida

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\netcmd.exe	TMP9660.TMP
File opened for modification	\??\c:\windows\SysWOW64\netcmd.exe	TMP9660.TMP
File opened for modification	C:\WINDOWS\SysWOW64\NETCMD.EXE	TMP9660.TMP
File opened for modification	C:\WINDOWS\SysWOW64\NETCMD.EXE	NETCONFIG.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\netconfig.exe	TMP9660.TMP
File opened for modification	\??\c:\windows\netconfig.exe	TMP9660.TMP
File opened for modification	C:\WINDOWS\NETCONFIG.EXE	TMP9660.TMP

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2804	TMP9660.TMP
2804	TMP9660.TMP
2804	TMP9660.TMP
2804	TMP9660.TMP
2804	TMP9660.TMP
2804	TMP9660.TMP
2804	TMP9660.TMP
2804	TMP9660.TMP
2576	NETCMD.EXE
2576	NETCMD.EXE
2576	NETCMD.EXE
2576	NETCMD.EXE
2576	NETCMD.EXE
2576	NETCMD.EXE
2576	NETCMD.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2968	1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe
3004	TMP0021.exe
2132	TMP1001.tmp
2804	TMP9660.TMP
2208	NETCONFIG.EXE
2576	NETCMD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3004	2968	1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe	28
PID 2968 wrote to memory of 3004	2968	1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe	28
PID 2968 wrote to memory of 3004	2968	1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe	28
PID 2968 wrote to memory of 3004	2968	1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe	28
PID 3004 wrote to memory of 2132	3004	TMP0021.exe	29
PID 3004 wrote to memory of 2132	3004	TMP0021.exe	29
PID 3004 wrote to memory of 2132	3004	TMP0021.exe	29
PID 3004 wrote to memory of 2132	3004	TMP0021.exe	29
PID 2132 wrote to memory of 2668	2132	TMP1001.tmp	30
PID 2132 wrote to memory of 2668	2132	TMP1001.tmp	30
PID 2132 wrote to memory of 2668	2132	TMP1001.tmp	30
PID 2132 wrote to memory of 2668	2132	TMP1001.tmp	30
PID 2132 wrote to memory of 2804	2132	TMP1001.tmp	31
PID 2132 wrote to memory of 2804	2132	TMP1001.tmp	31
PID 2132 wrote to memory of 2804	2132	TMP1001.tmp	31
PID 2132 wrote to memory of 2804	2132	TMP1001.tmp	31
PID 2804 wrote to memory of 2208	2804	TMP9660.TMP	32
PID 2804 wrote to memory of 2208	2804	TMP9660.TMP	32
PID 2804 wrote to memory of 2208	2804	TMP9660.TMP	32
PID 2804 wrote to memory of 2208	2804	TMP9660.TMP	32
PID 2208 wrote to memory of 2576	2208	NETCONFIG.EXE	33
PID 2208 wrote to memory of 2576	2208	NETCONFIG.EXE	33
PID 2208 wrote to memory of 2576	2208	NETCONFIG.EXE	33
PID 2208 wrote to memory of 2576	2208	NETCONFIG.EXE	33

C:\Users\Admin\AppData\Local\Temp\1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\TMP0021.exe
  C:\Users\Admin\AppData\Local\TMP0021.exe pth:C:\Users\Admin\AppData\Local\Temp\1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\TMP1001.tmp
    C:\Users\Admin\AppData\Local\Temp\TMP1001.tmp C:\Users\Admin\AppData\Local\Temp\1a7df6ead561967345bd81bc38aa36f1_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\TMP9110.TMP
      C:\Users\Admin\AppData\Local\Temp\TMP9110.TMP
      4⤵
      Executes dropped EXE
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP
      C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\WINDOWS\NETCONFIG.EXE
        
        C:\WINDOWS\NETCONFIG.EXE t
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\WINDOWS\SysWOW64\NETCMD.EXE
        
        C:\WINDOWS\SYSTEM32\NETCMD.EXE t
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TMP011.tmp

Filesize
768B

MD5
81010dd57e7f38595d91ce8707e452dd

SHA1
8811dedc9e0f72ca7b071f522edbd48d6d27bfed

SHA256
f2d4e45fa0ebd3e824e528af354d6d1d0a97817702e1052e405ebbfd1973eefe

SHA512
67ca1dc018986f714ffdcbc61733973c250f5a1281eac9574ad58eb88d61344530ffa16553526470395a125e8bba1349a5fb5a803a1ef8ab83f5315b24014cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP9110.TMP

Filesize
2.9MB

MD5
119165b1a99e093c7693b84eb38f5825

SHA1
814c3cc842de5436faa0870b75b8cfd183644db7

SHA256
332668921a3c4806491b3b734ed57aa7acf22e0b9bde92de4981c086f4a2038a

SHA512
741ed45cb93f0a84f49be4056308fcd67f026e1f0df44b857b4ba850a1a98e579741d09005c14446649a179e852e8e70fd51da5c83aaf7dd4095a9bc94f70d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP

Filesize
28KB

MD5
0e2c76bb6605c90469c4ae9f63dc3d05

SHA1
01180b1c9f92a1d108ff6c59a6a5ef93f1768ed8

SHA256
6e8696c1f5693615aa2d092a83d5ccfba7f5d8af0813878380a6217163dd963a

SHA512
32c9b21d9db7faf09ae22a57b1f828c53d9713ea6146e8d1cc8f5013157da473a02a3392c18cf3ed1a562ac0f741623e356d6bd70ee4432ebb9c0976bf2974b7

Download Submit
\Users\Admin\AppData\Local\TMP0021.exe

Filesize
2.9MB

MD5
5e7d69669e385f1083001aa573511b57

SHA1
6584f7a3aea6c429640d70979d6dd2850c98f09b

SHA256
26ce408a803c94a29f5621e2af577a72c6bd316747e89970b15234a22c579911

SHA512
cefd04b5a0e052870596f7c07d1508fb1d0a94761d08a5983e4e9d32bcebc6d7fa6b5b94d4f21f7542c5a23a22aed47433722c3ed322c09bc46c9344392c57f7

Download Submit
memory/2132-83-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-81-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2576-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2668-33-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download
memory/2804-82-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3004-84-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing