704aa3fdb207e995bb723a1ea2dabd09065a418ec13996704e5e4c2944b423b9

General

Target

47191516f2bd453f1a2d7c500b82f359_JaffaCakes118.exe
Size

3.2MB
MD5

47191516f2bd453f1a2d7c500b82f359
SHA1

cd61840b87d1e26c0dd4227620c4541f83b047b3
SHA256

704aa3fdb207e995bb723a1ea2dabd09065a418ec13996704e5e4c2944b423b9
SHA512

d00ba7966463ab5b3592e1cd6c0cebd2fc79863860fcffc492c03570c8677c0d582d14736720b26b4eb835abcda2c275038d03dee9e77e95027758c99dd21103
SSDEEP

98304:l/7XMNzgMn72Jj+/vkBnX5BJRlEgzGhmK:hXMNkMT0RpBJXtChd

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5056	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨.exe
3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe

Loads dropped DLL 2 IoCs

pid	Process
3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
5056	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000023446-22.dat	vmprotect

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nvuais1.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File created	C:\Windows\SysWOW64\nvuais4.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File created	C:\Windows\SysWOW64\nvuais3.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File opened for modification	C:\Windows\SysWOW64\nvuais4.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File created	C:\Windows\SysWOW64\SkinH_EL.dll	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨.exe
File created	C:\Windows\SysWOW64\mvewia.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File opened for modification	C:\Windows\SysWOW64\nvuais2.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File opened for modification	C:\Windows\SysWOW64\nvuais5.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File created	C:\Windows\SysWOW64\essffagxf.dll	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File opened for modification	C:\Windows\SysWOW64\nvuais1.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File created	C:\Windows\SysWOW64\nvuais2.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File opened for modification	C:\Windows\SysWOW64\nvuais3.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
File created	C:\Windows\SysWOW64\nvuais5.dat	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
5056	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨.exe
5056	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨.exe
5056	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨.exe
5056	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 5056	3452	47191516f2bd453f1a2d7c500b82f359_JaffaCakes118.exe	84
PID 3452 wrote to memory of 5056	3452	47191516f2bd453f1a2d7c500b82f359_JaffaCakes118.exe	84
PID 3452 wrote to memory of 5056	3452	47191516f2bd453f1a2d7c500b82f359_JaffaCakes118.exe	84
PID 3452 wrote to memory of 3972	3452	47191516f2bd453f1a2d7c500b82f359_JaffaCakes118.exe	85
PID 3452 wrote to memory of 3972	3452	47191516f2bd453f1a2d7c500b82f359_JaffaCakes118.exe	85
PID 3452 wrote to memory of 3972	3452	47191516f2bd453f1a2d7c500b82f359_JaffaCakes118.exe	85
PID 3972 wrote to memory of 3596	3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe	87
PID 3972 wrote to memory of 3596	3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe	87
PID 3972 wrote to memory of 3596	3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe	87
PID 3972 wrote to memory of 3544	3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe	88
PID 3972 wrote to memory of 3544	3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe	88
PID 3972 wrote to memory of 3544	3972	DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe	88

C:\Users\Admin\AppData\Local\Temp\47191516f2bd453f1a2d7c500b82f359_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47191516f2bd453f1a2d7c500b82f359_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨.exe
  C:\Users\Admin\AppData\Local\Temp\//DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:5056
- C:\Users\Admin\AppData\Local\Temp\DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
  C:\Users\Admin\AppData\Local\Temp\//DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe c:\Progra~1\dnf\essffagxf.dll Porn
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DNF169~2.EXE
    3⤵
    PID:3544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨.exe

Filesize
3.8MB

MD5
a37cbb0bcc40baa0f7488bb579b02cef

SHA1
ba820f7388ed73bfcbe81f287d2f6cbbbe994976

SHA256
bb655b103d7a92d61fb1d19b288de57be2dfdff63e39399a54d614b0b25e7814

SHA512
fc88a3212dce674923f948d8dc7b998c953de864197855fd27a4d53be3f770d14578311f99afca09dc4bda31e87490dcf77b2759c58f932bdced243ce83aadc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNF±Ø»ð1.69AÖÇÄÜÎÈ¶¨°æ.exe

Filesize
128KB

MD5
4fc259dbc36fee134d8365c59e9d6c13

SHA1
48c21b8225e78f0374c22f16e44b9ba063ab8527

SHA256
521d2bb23bce7324192a254c61b8e06b7de0370ab51e9c48477f68473dbf8499

SHA512
22316bc30fab7fd9291d34e473b6b1048af1ece8ad6de8bfd28e7354ac5a83877045cbb865567c1d897c7c78451816eba1afc9ddc6e77e88b056d67f7b76fc39

Download Submit
C:\Windows\SysWOW64\SkinH_EL.dll

Filesize
688KB

MD5
bd42ef63fc0f79fdaaeca95d62a96bbb

SHA1
97ca8ccb0e6f7ffeb05dc441b2427feb0b634033

SHA256
573cf4e4dfa8fe51fc8b80b79cd626cb861260d26b6e4f627841e11b4dce2f48

SHA512
431b5487003add16865538de428bf518046ee97ab6423d88f92cda4ff263f971c0cf3827049465b9288a219cc32698fd687939c7c648870dd7d8d6776735c93c

Download Submit
C:\Windows\SysWOW64\essffagxf.dll

Filesize
109KB

MD5
3d042451c5d8c83d5b9ad10aad58ef0a

SHA1
a929263a776897c256e96009c2a2d21fb1fa50c3

SHA256
5f3dde7d2a8978b57a018782017e76c44d1074a8f36d582f718c46ff31b219b6

SHA512
0d23b6dd9142eeca49927198f20426c6654519e1076b9da6c1d2032e5ad422722c853e3e400fabfebe2c23c18f6ab971415dfd4162c21b104eacc3059abb321b

Download Submit
memory/3452-0-0x0000000000400000-0x000000000073C000-memory.dmp

Filesize
3.2MB

Download
memory/3452-24-0x0000000000400000-0x000000000073C000-memory.dmp

Filesize
3.2MB

Download
memory/3972-25-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing