b0e87268c08bda1d63293aa12b3a5c9606e435f048bd95a55cb996f89aa575b2

General

Target

3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
Size

837KB
MD5

3628c8d5bedb50aa691c3d2bc85bab33
SHA1

2d61963222d69fe29218e4e1ce23140fd6826f89
SHA256

b0e87268c08bda1d63293aa12b3a5c9606e435f048bd95a55cb996f89aa575b2
SHA512

2076d3c3f0c1a776c57b230d16bc09bf3fd7912a33bafa91d395757f6c253120e3416d40f752ab890dc2ee82c64f90042a3bfb34d310862f1e546a3ab23d4e71
SSDEEP

12288:2LEZiqbWtD9HGajeKoXMxMItMtCIb3Tl9qt2OVRzUNc//////X:nVqGaSKoOtMtCIb3U2OVEc//////X

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2556	gifresizerchs.exe

Loads dropped DLL 43 IoCs

pid	Process
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
2556	gifresizerchs.exe
2556	gifresizerchs.exe
2556	gifresizerchs.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012119-1.dat	upx
behavioral1/memory/2556-23-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral1/memory/2556-146-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral1/memory/2556-175-0x0000000000400000-0x000000000059A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2556	gifresizerchs.exe
2556	gifresizerchs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 2556	1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe	30
PID 1328 wrote to memory of 2556	1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe	30
PID 1328 wrote to memory of 2556	1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe	30
PID 1328 wrote to memory of 2556	1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe	30
PID 1328 wrote to memory of 2556	1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe	30
PID 1328 wrote to memory of 2556	1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe	30
PID 1328 wrote to memory of 2556	1328	3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3628c8d5bedb50aa691c3d2bc85bab33_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Local\Temp\gifresizerchs.exe
  C:\Users\Admin\AppData\Local\Temp\gifresizerchs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gifresizerchs.exe

Filesize
627KB

MD5
8c735c983ee20ec5f7a4a4b7ae344a55

SHA1
379c46d52dc0b34a6c72043c30c0b7b4d0c4fcc7

SHA256
4881ee99a53d1e93630943eaac6ca8fb5acfb411945b0b078ff71e9c1a2d4ce2

SHA512
f09c902a04bb36183ef21a2a2afa989c5fc86716ff43adf4f7c0a86052bcfe264bd6e155cf9c505ca61b9ddc92d860f2340be0808fb65ddd0fa131fbc3b13551

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA352.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA352.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
memory/1328-22-0x0000000002970000-0x0000000002B0A000-memory.dmp

Filesize
1.6MB

Download
memory/1328-21-0x0000000002970000-0x0000000002B0A000-memory.dmp

Filesize
1.6MB

Download
memory/2556-23-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2556-32-0x0000000000B00000-0x0000000000C9A000-memory.dmp

Filesize
1.6MB

Download
memory/2556-146-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2556-175-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2556-176-0x0000000000B00000-0x0000000000C9A000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing