a1b343080dfb8593827704e4b2d553f9af13a1766ee97cd722150ea63032cb75

General

Target

4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe
Size

78KB
MD5

4a309c4e2cd6d47b1cb6b4686db6f46e
SHA1

6cd0607da7af9bdf10dbe5e61ec6775b9736e7d1
SHA256

a1b343080dfb8593827704e4b2d553f9af13a1766ee97cd722150ea63032cb75
SHA512

903093b82149cd253fb54a4b4d63ed3630b07704481c32151b7101dd67f1aca3bd6b106051516bceb3b4a5457a148a2f8a7152c0955fd2275b752777fef8636e
SSDEEP

1536:CuF78eEotFSiX9rsMmYgkDmwY5jm7L4UEFZe1BgGI0XmzqjrRcBkH:dF78sfSmrsYZDv8wdEFyBgGI0X/n6BW

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1904	jahjah03.exe

Executes dropped EXE 2 IoCs

pid	Process
1904	jahjah03.exe
2524	jahjah03.exe

Loads dropped DLL 5 IoCs

pid	Process
2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe
2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe
1904	jahjah03.exe
2524	jahjah03.exe
2524	jahjah03.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-11-0x0000000000400000-0x00000000006DF000-memory.dmp	upx
behavioral1/memory/2232-22-0x0000000000400000-0x00000000006DF000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mgt03012.ocx	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mgt99018.ocx	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\jahjah03.exe	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\jahjah03.exe	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fonts\mgt03012.ttf	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe
File opened for modification	C:\Windows\fonts\mgt03012.ttf	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe
1904	jahjah03.exe
1904	jahjah03.exe
1904	jahjah03.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1184	2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe	21
PID 2232 wrote to memory of 1904	2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1904	2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1904	2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe	28
PID 2232 wrote to memory of 1904	2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2524	2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2524	2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2524	2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2524	2232	4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\jahjah03.exe
    C:\Windows\system32\jahjah03.exe C:\Windows\system32\mgt03012.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\4a309c4e2cd6d47b1cb6b4686db6f46e_JaffaCakes118.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1904
- - C:\Windows\SysWOW64\jahjah03.exe
    C:\Windows\system32\jahjah03.exe C:\Windows\system32\mgt99018.ocx pfjieaoidjglkajd
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\fonts\mgt03012.ttf

Filesize
540B

MD5
8ff089ae85db334d6ac4a7ae7a3167f6

SHA1
f132123a930c899c15682cbf04b07ff4c55ea2fc

SHA256
e9e024126df1149d533ea56bf3a6992054c7a62e716361976ad3401f19936487

SHA512
c156d2485e9a9be219deea60d57436557f6670231f565ece6c6c42523d11277b0b59ce98982f3391df928715fa93c46c0f97f47d41f2c00a9d3c0b3a96b2eb85

Download Submit
\Windows\SysWOW64\jahjah03.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\mgt03012.ocx

Filesize
836KB

MD5
7fe706b3d3acbafdf8e9dc28ed3d4fb1

SHA1
5df219e8939f9d0e59bd0d9359e8f58283fd103f

SHA256
1ee694b7549f978809ba65121094bbf9ed802f4c61500cfff5292bb1d0dc6632

SHA512
e8c9a6a1922592eb17f8dad084fafae5d7df2deee95e30f0876dffea30342ed10879bb3b2df15e456b1af9e7740478ad97bbdb137be0a89dd4a14089c877a56b

Download Submit
\Windows\SysWOW64\mgt99018.ocx

Filesize
16KB

MD5
5462f70e72d2984e9b715cc92421ce60

SHA1
283f3536076deb265d229e1a8a4b1b15ba7dd30e

SHA256
fd45517e06f2a29502f6e1c7706f50e553494a3509f31438d81d811b7abc10c0

SHA512
2507cb5362f11b4978b3b935e635a981682ba52dbd3f9df642da436b8694e06ff8613e2e1a6e3ce8b985d05736fa6a05f6bcb516da3b222132373a0ab9005f79

Download Submit
memory/1184-8-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1904-26-0x0000000010000000-0x00000000104D7000-memory.dmp

Filesize
4.8MB

Download
memory/2232-11-0x0000000000400000-0x00000000006DF000-memory.dmp

Filesize
2.9MB

Download
memory/2232-22-0x0000000000400000-0x00000000006DF000-memory.dmp

Filesize
2.9MB

Download
memory/2524-28-0x0000000010000000-0x0000000010208000-memory.dmp

Filesize
2.0MB

Download
memory/2524-30-0x0000000002380000-0x0000000002857000-memory.dmp

Filesize
4.8MB

Download
memory/2524-27-0x0000000002380000-0x0000000002857000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing