6f388ca5c2b1ebda53ce9362e9e165240908ae6ee7aed35745b6c3eef84a9722

General

Target

28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
Size

708KB
MD5

28610a293e166459e534cd2157e795cb
SHA1

4158e02875a9f55a546f800da32016d3fa2b1e97
SHA256

6f388ca5c2b1ebda53ce9362e9e165240908ae6ee7aed35745b6c3eef84a9722
SHA512

117f7dec1d0a774019af3a97daf5be9d272aaf79c6cefa799f4565a8185d6ab791647e71dc4a79c580e1cf64e92b7e0faea17f8c04f764b29d7e81d96e753e52
SSDEEP

12288:QjkArEN249AyE/rbaMct4bO2/Vi7Uscs5vkclGhQygF5GmWK/i6b:LFE//Tct4bOsQx5vkj4Nb

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	prog.exe
2484	wmplayer.exe

Loads dropped DLL 4 IoCs

pid	Process
1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
2280	dw20.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1408-0-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/1408-23-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1408-23-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2484	wmplayer.exe
Token: SeSecurityPrivilege	2484	wmplayer.exe
Token: SeSecurityPrivilege	2484	wmplayer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3060	prog.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 3060	1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	30
PID 1408 wrote to memory of 3060	1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	30
PID 1408 wrote to memory of 3060	1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	30
PID 1408 wrote to memory of 3060	1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	30
PID 1408 wrote to memory of 2484	1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	31
PID 1408 wrote to memory of 2484	1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	31
PID 1408 wrote to memory of 2484	1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	31
PID 1408 wrote to memory of 2484	1408	28610a293e166459e534cd2157e795cb_JaffaCakes118.exe	31
PID 2484 wrote to memory of 2280	2484	wmplayer.exe	32
PID 2484 wrote to memory of 2280	2484	wmplayer.exe	32
PID 2484 wrote to memory of 2280	2484	wmplayer.exe	32
PID 2484 wrote to memory of 2280	2484	wmplayer.exe	32

C:\Users\Admin\AppData\Local\Temp\28610a293e166459e534cd2157e795cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28610a293e166459e534cd2157e795cb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\prog.exe
  C:\Users\Admin\AppData\Local\Temp/prog.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\wmplayer.exe
  C:\Users\Admin\AppData\Local\Temp/wmplayer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 568
    3⤵
    - Loads dropped DLL
    PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\prog.exe

Filesize
116KB

MD5
71e4cd5165c8fc4becb91ae0ab34ec5d

SHA1
4f5ca4658b144932ff8c995c0eb7b9a2dc4c049e

SHA256
e1985eb0362a85c34b0b900dbc52bf83190cd79c9c8780c149c5958673a149dc

SHA512
4f3f8318cf60d2576092c6f7f75c08a731240bbfaf8d772f995e2cf33b360e423853618b65307ce5c483f1d678145b84c189a27c15ab792cc4f22e41ae945410

Download Submit
\Users\Admin\AppData\Local\Temp\wmplayer.exe

Filesize
448KB

MD5
e45a2babe87bfc65e6b0c3a0d20084a0

SHA1
7263f691a4513b7c56da1ef55953d8df4b2deee9

SHA256
1830623ec5b9a16857ddebc0cfeef746824577f93dba86e16302267580a4308c

SHA512
623a6bb3e97633d02c1cd8a7c99776e7aebf2ca15b21ad1470e5e42d3a48528a2ca251da0b2c00e0ddb56d98d86a9d880e65c43f3e54109db4c364ec24c9271f

Download Submit
memory/1408-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1408-23-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2484-27-0x0000000074031000-0x0000000074032000-memory.dmp

Filesize
4KB

Download
memory/2484-28-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2484-29-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2484-30-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2484-32-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing