221acd05ebc2cde5486f527a7c7e4b995f7ddc9b4161e2e28286dd9b4765b501

General

Target

3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
Size

61KB
MD5

3eae1849e3a04a87a38318db4766f233
SHA1

057f0d3f8df12546e45022b588de1c3052ade9f5
SHA256

221acd05ebc2cde5486f527a7c7e4b995f7ddc9b4161e2e28286dd9b4765b501
SHA512

193b044d4a938baf6c7c33a43c3d229cb90e2030c120ed68c416dc05ef3c750357569ac289ad7a3fd8cdb3bf46fec6cc95e20ba17c31e309a788ac6cbfbb66f6
SSDEEP

1536:4L18iZKJbMflDLtTRCNAmuAR++9Mo8jq/RiGXf+1dU+lkjF0Tt4p:4B8wNLt9rmdwCD8O/MakdveT

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/3024-0-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3024-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/files/0x0005000000018b6e-12.dat	vmprotect

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\deatie2.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\deatie5.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\deatie5.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\deatie.cfg	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\deatie3.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\deatie3.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\deatie4.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msivpghzt.dll	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\poeiet.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\deatie1.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\deatie1.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\deatie2.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\deatie4.dat	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1992	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	30
PID 3024 wrote to memory of 1992	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	30
PID 3024 wrote to memory of 1992	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	30
PID 3024 wrote to memory of 1992	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	30
PID 3024 wrote to memory of 1992	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	30
PID 3024 wrote to memory of 1992	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	30
PID 3024 wrote to memory of 1992	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2736	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2736	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2736	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2736	3024	3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3eae1849e3a04a87a38318db4766f233_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe c:\Progra~1\dnf\msivpghzt.dll Run
  2⤵
  PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3EAE18~1.EXE
  2⤵
  - Deletes itself
  PID:2736

\Windows\SysWOW64\msivpghzt.dll

Filesize
80KB

MD5
7a8d4f5828f33b6db3108cd92aef016e

SHA1
50486f6ab603cf8945312065bd755d47bd558849

SHA256
06f8ae0caf854a266b33a6e19a6a7190f8cdae0dbe3f2b6af6d697a844778844

SHA512
8979dfcd6074e238b2d82e64ef614ee80c8ee8de6068f62f8c6b37b560b442beafd31dd9e96245336ae89883cd2662bb161a7e87dc756e14fe2b64cf0adc3cd7

Download Submit
memory/3024-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3024-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download