5bc9b551e31e5025cfaa9e2cb65f51387c6f8951355a70ea8ca0f712584b36a4

General

Target

4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe
Size

1.4MB
MD5

4385234b60bbc158535f0b5146cdf123
SHA1

da3bec4ea0206c21c71caa65beb537f44c87b057
SHA256

5bc9b551e31e5025cfaa9e2cb65f51387c6f8951355a70ea8ca0f712584b36a4
SHA512

5f141b8b9ab45ab02c3ede05d89b9e398bec8fdf6f800d333fe436662277be1fc3b7d619ddf9a340e05b258f869d6c4743443e4fe29a98cc1e0c4f81be5d419c
SSDEEP

24576:m/tTd/zSDIFj43F1DxX8yR0OS6kY+SpxtUPEsfAuMxnwzMUC80+L6AFuCT4T:YTdesFj4V1ia0DuDPU7jGJv+2uuCET

Score

7^/10

aspackv2 vmprotect

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000016c5a-40.dat	aspack_v212_v242
behavioral1/files/0x0007000000016cc3-59.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2932	rundll321.exe
2832	MFQjDKd.exe

Loads dropped DLL 5 IoCs

pid	Process
2104	cmd.exe
2104	cmd.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0007000000016cc3-59.dat	vmprotect

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mshtml.dll.mod	rundll321.exe
File created	C:\Windows\SysWOW64\mshtml.dll.mod	rundll321.exe
File created	C:\Windows\SysWOW64\sWrST.wiO	rundll321.exe
File opened for modification	C:\Windows\SysWOW64\mshtml.dll	rundll321.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\mshtml.dllsWrST	rundll321.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\mshtml.dll	rundll321.exe
File opened for modification	C:\Windows\SysWOW64\mshtml.dllsWrST	rundll321.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	rundll321.exe
File created	C:\Windows\MFQjDKd.exe	rundll321.exe
File opened for modification	C:\Windows\MFQjDKd.exe	rundll321.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1736	2932	WerFault.exe	34

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2932	rundll321.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2348	2404	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2348	2404	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2348	2404	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2348	2404	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2104	2404	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	32
PID 2404 wrote to memory of 2104	2404	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	32
PID 2404 wrote to memory of 2104	2404	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	32
PID 2404 wrote to memory of 2104	2404	4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2932	2104	cmd.exe	34
PID 2104 wrote to memory of 2932	2104	cmd.exe	34
PID 2104 wrote to memory of 2932	2104	cmd.exe	34
PID 2104 wrote to memory of 2932	2104	cmd.exe	34
PID 2932 wrote to memory of 2832	2932	rundll321.exe	35
PID 2932 wrote to memory of 2832	2932	rundll321.exe	35
PID 2932 wrote to memory of 2832	2932	rundll321.exe	35
PID 2932 wrote to memory of 2832	2932	rundll321.exe	35
PID 2932 wrote to memory of 1736	2932	rundll321.exe	36
PID 2932 wrote to memory of 1736	2932	rundll321.exe	36
PID 2932 wrote to memory of 1736	2932	rundll321.exe	36
PID 2932 wrote to memory of 1736	2932	rundll321.exe	36

C:\Users\Admin\AppData\Local\Temp\4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4385234b60bbc158535f0b5146cdf123_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\Š‰ÑÓÂÊ¿.exe.bat" "
  2⤵
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\rundll321.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\Temp\rundll321.exe
    C:\Users\Admin\AppData\Local\Temp\Temp\rundll321.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\MFQjDKd.exe
      "C:\Windows\MFQjDKd.exe"
      4⤵
      Executes dropped EXE
      PID:2832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 344
      4⤵
      Loads dropped DLL
      Program crash
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Com8557.tmp

Filesize
55KB

MD5
f9b9ea3014596d374853e7a40e34315e

SHA1
0cf1ae7e6d70ae6be8dd4dcdca426e32ff6c3a9d

SHA256
84695a45735d33624015a92cffc5545cab3eb24df2f26e79db0b4d275d0c7844

SHA512
9df6970e292092daca4f95624d3dd05077ee637f000cfc4c150135fd33d2f5e5c39cea14bbee2f63c9c6556b33c565a29141cc2c0924e1c7caf6f4d5110e5477

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\rundll321.exe.bat

Filesize
120B

MD5
903365f6eee63b9886be90998ed4c991

SHA1
d8b090ae821b62560b9011c85479873ac7e3d4f2

SHA256
20842c46014ba77dab4b0730dd8e55a2b01786330bcfd657c7c7069502fe5c95

SHA512
9d410588ce05e25c50d82385b8f7a17072d2cfad63b4a49fd96d0fe3455e46c7f4d2ce4b8eb29771a9c03de9bcaeef1cb5602f6371c70082aa1c18c7b5376c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\Š‰ÑÓÂÊ¿.exe.bat

Filesize
160B

MD5
07f6f3a823bcc3cb4dea86411c0c39c1

SHA1
0995ef60a0a8eb0dd2006cacee08de63b08b7dd2

SHA256
7fdf340d7ce1643782e41a154b2dde523f194450356017ec217c6cb5fc7b9de6

SHA512
53c05564479cef546a012ad844755eec3d7ebab2b233fc6d0aeb6503e0e2f027d2633829fd85ef47a4fb6259d1a87b6b5784331a3890946bc849427c6798e4cc

Download Submit
C:\Windows\MFQjDKd.exe

Filesize
51KB

MD5
062fae9998838a4f130ab0d62e48aa0d

SHA1
b358cc42a3d0be33ac0fa3b94383d5512fd85ff7

SHA256
8c6d7fdcfee602e7f966e445422fa95d26d744b6331ea76e5337a00d5df2e675

SHA512
5b856371202225e8931351301cbbc22b2b73078448d57070cd068c5fef07435d245a990e5ad68558ba56dbd759d7bbd4ca2d7eb4f4f970882f7d697f191d9037

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\rundll321.exe

Filesize
119KB

MD5
e39cbcadd6899d7c628fffeac7b0ef4d

SHA1
0e2cb27b8d9fbc47589b98311692df9dfb930751

SHA256
45f0d620fa2e8e9bdb20299b2061c36b25cfbfb2f50e5f29df8d0d7053ec5a4d

SHA512
1cd55479fd41bde26c072c45d0ee347ea4617253f202c251dc0b57071d3cf9a23de222b6294125953d673041c901a319c6052cec3b89e4f872086b7e66f6096b

Download Submit
memory/2832-50-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2832-49-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2832-46-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2832-67-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2932-48-0x0000000002200000-0x0000000002218000-memory.dmp

Filesize
96KB

Download
memory/2932-47-0x0000000002200000-0x0000000002218000-memory.dmp

Filesize
96KB

Download
memory/2932-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2932-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing