388b551b3897c30d49b4559696b0ecb30333ed59aecc26558ebe6017ecef271c

General

Target

3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe
Size

1.6MB
MD5

3e1e7c7e6497e6fa420f8314ba6195a4
SHA1

86c3033abc23c1fefc9923f59c2d5be9592f25e3
SHA256

388b551b3897c30d49b4559696b0ecb30333ed59aecc26558ebe6017ecef271c
SHA512

cd2417e3fa5a5202342cd536190b304ea9f5753534c67fdbe7f2e16e7dfe31db83b4b23e2e3065e69bb0f7e2f520ba87021eb522e429aeb03572a1effef76206
SSDEEP

49152:mJkeJgoel/e4TKjwHBeiAxdFuQMUuc8UP7xv4:mJk6uPytB8UPK

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2804	tf0.exe
2632	setup.exe

Loads dropped DLL 13 IoCs

pid	Process
2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe
2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe
2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe
2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe
2804	tf0.exe
2804	tf0.exe
2804	tf0.exe
2804	tf0.exe
2804	tf0.exe
2804	tf0.exe
2632	setup.exe
2632	setup.exe
2632	setup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2804-18-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/files/0x000f000000011b9c-17.dat	upx
behavioral1/memory/2804-72-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2804	2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2804	2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2804	2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2804	2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2804	2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2804	2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2804	2528	3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2632	2804	tf0.exe	31
PID 2804 wrote to memory of 2632	2804	tf0.exe	31
PID 2804 wrote to memory of 2632	2804	tf0.exe	31
PID 2804 wrote to memory of 2632	2804	tf0.exe	31
PID 2804 wrote to memory of 2632	2804	tf0.exe	31
PID 2804 wrote to memory of 2632	2804	tf0.exe	31
PID 2804 wrote to memory of 2632	2804	tf0.exe	31

C:\Users\Admin\AppData\Local\Temp\3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e1e7c7e6497e6fa420f8314ba6195a4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\tf0.exe
  "C:\Users\Admin\AppData\Local\Temp\tf0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.log

Filesize
475B

MD5
6326e10b760f2d1ab19fba7e1db40e42

SHA1
9c4195b9f31d15effcb3e7d39215a40c34ba0591

SHA256
66a230d125f7179079b4f2d2533e3f1d1f4e9897ca52805b2cb30caf4969e281

SHA512
b93fc3d7819e2a6b29049974ff929584f0a9fa6bd82e103b6edfffbf5dc4431931900ebc64d16d8e3fab5b2ed843a728a63b5e9d573d09b1f639880e102c1796

Download Submit
C:\Users\Admin\AppData\Local\Temp\tf0.exe

Filesize
1.5MB

MD5
5ba877d05ac6b87a72db8ae8ade00e48

SHA1
429fb1857f5ecff5f0fb0c0bbc8e375912139d91

SHA256
fc96f8d4e172ad321c40b5154acc6c7ed74ee5d7e62c739774fdbc3c0c7e85ef

SHA512
1686740dfc573d51ef8b12f8d977019808661232b0359e503eb45c5e4eb05185a2fd8842047e96245721ddcd935f8d64fbfdebe793a99879f79069164df67375

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
86KB

MD5
05d076f8b51da09aad5f9f57784f6a3a

SHA1
abf5e5b1c72445a4b698b50f7dce7f3cbeb0eac5

SHA256
8dba395134f485c8ee5aa1e5d7ff85dce83ff38ccf60d3489c071b1a263c9bf4

SHA512
b033d54dcb441ced210129e2f03c129bf31741108fda4405660bad50abfca5e222c13a1b003d6547bc9a6227025d7e35fe38b4445bebd0c5e2b6afb729719b6d

Download Submit
memory/2528-7-0x00000000028E0000-0x00000000028F4000-memory.dmp

Filesize
80KB

Download
memory/2528-8-0x00000000028E0000-0x00000000028F4000-memory.dmp

Filesize
80KB

Download
memory/2528-16-0x0000000003020000-0x0000000003034000-memory.dmp

Filesize
80KB

Download
memory/2528-71-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2528-74-0x00000000028E0000-0x00000000028F4000-memory.dmp

Filesize
80KB

Download
memory/2528-75-0x00000000028E0000-0x00000000028F4000-memory.dmp

Filesize
80KB

Download
memory/2528-76-0x0000000003020000-0x0000000003034000-memory.dmp

Filesize
80KB

Download
memory/2528-77-0x0000000003020000-0x0000000003034000-memory.dmp

Filesize
80KB

Download
memory/2632-73-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2804-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2804-24-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2804-23-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/2804-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing