d4d994ff60330e0bd82354a3ce71a04a323ed39c6dd616bc0e3bccac947799f6

General

Target

1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe
Size

45KB
MD5

1c08d332603e4c912f00633e620a9b19
SHA1

cec9dc1769f788865c0f86f4c6dd5db1c4fe201f
SHA256

d4d994ff60330e0bd82354a3ce71a04a323ed39c6dd616bc0e3bccac947799f6
SHA512

bd61578ebf3cad817c10a541686ebc8ad2341778cc30d0e5f5beeae6be6a1cc2768595369edd731c62dd641bd9fc7edd5f096f7c7c2d56ee2f24b8cbfbf15ba5
SSDEEP

768:S3U8Emc3DASlAc6UqRk0IE4i86Mpa8efH2TTI8YX8yw+wToL+5+AhtLHkx+9A/:SoP321RkhE476QOWTTIQyVNbx+9A/

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1936	rundll32.exe

Loads dropped DLL 8 IoCs

pid	Process
2864	rundll32.exe
2864	rundll32.exe
2864	rundll32.exe
1936	rundll32.exe
2864	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
2864	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2080-6-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral1/memory/2080-8-0x0000000000400000-0x000000000061D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mmlfd008.ocx	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\0F766114ce.dll	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe
File created	C:\Program Files\Common Files\mml25007.ocx	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\mml25007.ocx	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe
File created	C:\Program Files\Common Files\0F766114ce.dll	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2864	rundll32.exe
460	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2864	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2788	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2788	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2788	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2788	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2788	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2788	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2788	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2864	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2864	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2864	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2864	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2864	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2864	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2864	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	29
PID 2080 wrote to memory of 1936	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1936	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1936	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1936	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1936	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1936	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1936	2080	1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\mmlfd008.ocx" pfjieaoidjglkajd
  2⤵
  - Loads dropped DLL
  PID:2788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\0F766114ce.dll" m3
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\mml25007.ocx" pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\1c08d332603e4c912f00633e620a9b19_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\0F766114ce.dll

Filesize
10KB

MD5
83bf84090cd41cb647b22e0c21e268df

SHA1
d3bf3a2684008150713a6775b80661a57a14bd84

SHA256
e2ddc61c1d5c52f968479ec0284e5d3f47011b2f1b7658cf7ef26673b21549e7

SHA512
c1dea1500809d8ab88b04c206ac1ab9c6c193b91613a8b87d9b88c74c80dfc1d60857cc6b0717ac5f30088d857f066132fb78499bf6de60047b9322e5ea9ea7a

Download Submit
\Program Files\Common Files\mml25007.ocx

Filesize
52KB

MD5
c8a468089b36da771dee63cd64eebc37

SHA1
ac4736561f470678a9e24132dc8a448b3d65ffc5

SHA256
afac28ec84e965558e89b5f182dd44aa8c35cba3b5474eaffba7b3ace52e5207

SHA512
e4093d5cab436c556c8082bb0157d52c7f8bdbec3e4e6080556873adff95db584d4a73e40a4f1c2b864425586222dfb56f134b44ab6213c80c4aefcc595eab54

Download Submit
\Windows\SysWOW64\mmlfd008.ocx

Filesize
17KB

MD5
f45774c967deeebb10aea4e25227515b

SHA1
79d67ffa00dd3dd589210a2f4fe4f58153b51722

SHA256
057288c779ae91555b32359c73a969698077ef47e7dcf71f234bc7be6ab6f796

SHA512
a69846596734dbd9fe54291802b30fc28a195faeac2ad23f99d26614fbe4adec8c8c3b9e4376268454fc8aa92ef4c9fc1b99df8d6df7952f334919fdb86c8366

Download Submit
memory/1936-22-0x0000000010000000-0x0000000010212000-memory.dmp

Filesize
2.1MB

Download
memory/2080-6-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2080-8-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2788-21-0x0000000001CE0000-0x0000000001EF2000-memory.dmp

Filesize
2.1MB

Download
memory/2864-20-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/2864-24-0x0000000002090000-0x00000000022A2000-memory.dmp

Filesize
2.1MB

Download
memory/2864-23-0x0000000010202000-0x0000000010203000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing