6d926fa545ca6f4c3c6e9c3c64503b6e7302718303a60690c219abbc015c47d9

General

Target

2c547125ff7f74860549852390c14001_JaffaCakes118.exe
Size

1.4MB
MD5

2c547125ff7f74860549852390c14001
SHA1

40fe4992e7ec2124d8f9440c5de02969331b425d
SHA256

6d926fa545ca6f4c3c6e9c3c64503b6e7302718303a60690c219abbc015c47d9
SHA512

e8e1251e90938358f0181a307a02e7ed0aa77c205191952f882089f6c5a9da46865756b98361bf92792d57d21028006df1f44441f18e014868458039a517116d
SSDEEP

24576:6gZ+QsmPo0EeIC3CHmCbd44QpOLZZbyMcDyGuRvaOAEUz8TY8XCl:9Z5BohpGo3QpOL+wRvKQjc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2628	UXVHx.exe

Loads dropped DLL 3 IoCs

pid	Process
2460	2c547125ff7f74860549852390c14001_JaffaCakes118.exe
2628	UXVHx.exe
2628	UXVHx.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2840	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2840	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2840	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2840	MSIEXEC.EXE
2840	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2628	2460	2c547125ff7f74860549852390c14001_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2628	2460	2c547125ff7f74860549852390c14001_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2628	2460	2c547125ff7f74860549852390c14001_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2628	2460	2c547125ff7f74860549852390c14001_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2628	2460	2c547125ff7f74860549852390c14001_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2628	2460	2c547125ff7f74860549852390c14001_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2628	2460	2c547125ff7f74860549852390c14001_JaffaCakes118.exe	31
PID 2628 wrote to memory of 2840	2628	UXVHx.exe	32
PID 2628 wrote to memory of 2840	2628	UXVHx.exe	32
PID 2628 wrote to memory of 2840	2628	UXVHx.exe	32
PID 2628 wrote to memory of 2840	2628	UXVHx.exe	32
PID 2628 wrote to memory of 2840	2628	UXVHx.exe	32
PID 2628 wrote to memory of 2840	2628	UXVHx.exe	32
PID 2628 wrote to memory of 2840	2628	UXVHx.exe	32

C:\Users\Admin\AppData\Local\Temp\2c547125ff7f74860549852390c14001_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c547125ff7f74860549852390c14001_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\UXVHx.exe
  "C:\Users\Admin\AppData\Local\Temp\UXVHx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://setup.realtimegaming.com/36175/cdn/winpalaceeuroge/Win Palace Euro Casino German20120305112801.msi" DDC_DID=1798801 DDC_RTGURL=http://www.dlsetup.com/dl/TrackSetup/TrackSetup.aspx?DID=1798801%26filename=WinPalaceGerman%2Eexe%26CASINONAME=winpalaceeuroge DDC_DOWNLOAD_AFFID=40786 DDC_UPDATESTATUSURL=http://209.200.154.71:8080/wpalaceu/Lobby.WebServices/Installer.asmx CUSTOMNAME02=redirectAsData CUSTOMVALUE02=1 CUSTOMNAME03=remoteIP CUSTOMVALUE03=87.245.204.19 CUSTOMNAME04=name CUSTOMNAME05=email CUSTOMNAME06=redirect CUSTOMNAME07=version CUSTOMVALUE07=100 CUSTOMNAME08=camefrom CUSTOMVALUE08=http://www.winpalace.im/en/preview-games/.aspx#video-poker CUSTOMNAME09=adid CUSTOMVALUE09=NULL CUSTOMNAME10=affreferrer CUSTOMVALUE10=http://www.winpalace.im/en/preview-games/.aspx#video-poker SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="UXVHx.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_isD8E6.tmp

Filesize
1KB

MD5
a5846bb7ab1fbaa1033d48225ae96178

SHA1
17259de4111e39b4f79f88a9ac84c144904f8025

SHA256
56395ce4ac801ebad8af6f237abc3e4bb7d58a9a79f952f254688b206a8e1ce8

SHA512
d32a6bfe2407c125c4667e8dcdb32927d56dd62524ee620f7ca3082e98313789d7210028a454d90803591ad9fca2989529c86b37439003feb24ffe09fa5ca4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D3DC2074-2A34-4437-861D-790F421D4524}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D3DC2074-2A34-4437-861D-790F421D4524}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~D8E3.tmp

Filesize
6KB

MD5
b51eb0d2abe4ade2fcfb6bf5fd874e9f

SHA1
5eb97355294309efe8f7163b4d8aacf96b7d141a

SHA256
57da81625cc809f1f1715e8f98ae60015a5bbaaf0a712f55a32f591ec8f0bd28

SHA512
70ed1dac10c6a8c48e38031dbd40d634fa6e5dd90c24040b9b2f9330cb9535c921174a5fda872d6a031958e682ce7f0a82d3b0e158f3811d7886390d220ad569

Download Submit
\Users\Admin\AppData\Local\Temp\UXVHx.exe

Filesize
1.1MB

MD5
8a759a4a9dc27a851ce2b4954b9cbade

SHA1
9c4883fea2d05e4fae9a6b83eee3cce5d23d079a

SHA256
7565d060d09716458f6690859a9fa9d771601f2cd78defd8c43b3a009f8f867c

SHA512
aeb949fa3002824bcb017087c99620b9042117f6b88a4d7c1c0ce68c3345a6f2cab38e2c2344f8ac0bd2216a44141bc80f5ebe43a1909bc073e99e51cba58741

Download Submit

Analysis

Sharing