76afa14cbd51dc9e3ef362928b4c9309a80d1ae077dcfcefb16abfe429be4365

General

Target

4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe
Size

303KB
MD5

4d63605c5e8f18d43a5b34e96ffeb4b4
SHA1

3f83c274bc385f65c2bbc92c76189ff16933be5f
SHA256

76afa14cbd51dc9e3ef362928b4c9309a80d1ae077dcfcefb16abfe429be4365
SHA512

ecf11935355476e0c318f73bd1728d896fd9bbcf0039697c83a3a5970c84f3810a428efc85bf0aa9c88f722c0ba8fa66e1b2f23a0991480523535eac35ff8226
SSDEEP

6144:/WF2cNUTdsHoj+Tl39kWJpAcETNBaur8bv4LoSiAdqQK8TLlbmMCqZCH:/W5oTWX2jau4v4LoSiAoQK8HFvCH

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2796	48093.exe
2800	19882.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-0-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/files/0x00080000000120ff-7.dat	upx
behavioral1/memory/2796-12-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2192-10-0x0000000000270000-0x00000000002B3000-memory.dmp	upx
behavioral1/memory/2192-18-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2796-19-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-21-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-22-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-24-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-26-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-28-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-30-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-32-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-34-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-36-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-38-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-40-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-42-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-44-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2796-46-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\19882.exe	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe
File created	C:\Windows\48093.exe	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe
File opened for modification	C:\Windows\48093.exe	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe
File created	C:\Windows\19882.exe	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2476	2800	WerFault.exe	31

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2796	2192	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe	30
PID 2192 wrote to memory of 2796	2192	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe	30
PID 2192 wrote to memory of 2796	2192	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe	30
PID 2192 wrote to memory of 2796	2192	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe	30
PID 2192 wrote to memory of 2800	2192	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2800	2192	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2800	2192	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2800	2192	4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2476	2800	19882.exe	32
PID 2800 wrote to memory of 2476	2800	19882.exe	32
PID 2800 wrote to memory of 2476	2800	19882.exe	32
PID 2800 wrote to memory of 2476	2800	19882.exe	32

C:\Users\Admin\AppData\Local\Temp\4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d63605c5e8f18d43a5b34e96ffeb4b4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\48093.exe
  C:\Windows/48093.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\19882.exe
  C:\Windows/19882.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 132
    3⤵
    - Program crash
    PID:2476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\19882.exe

Filesize
37KB

MD5
336f7f2f964f466f5c71aef9042ab0ff

SHA1
b315e2e11ccfa7573dcf8085a8f65e0da86835f7

SHA256
e0a5186cf901f4d14be0f43c6b8b3c2a18c119a6207c669b0267333d026c38d1

SHA512
9913370915dc33c2cb72da6511660d70fb74a9b03d6644f59c0e4f40183df8b6b9ea04b541197ef07effb4a45afc9634254fed66125374bd82b101730323d084

Download Submit
C:\Windows\48093.exe

Filesize
87KB

MD5
842fdeb77fde3bf55e427e817f19ac08

SHA1
892219c94aa8f8a60865ced2c2585754ea87d71f

SHA256
85dcc6df127023e74c8a0f7cfc539038ca216096e8123ec601b7ef32b72d26b8

SHA512
e7680a8d601b5239b583bcf531abee8de28e37eb713f867b13d3402b1aa8f22c63a87fe948c33d5aab6549a0fc619587d3fe6ade70072f98e14b08b6e6998577

Download Submit
memory/2192-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2192-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2192-11-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2192-10-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2796-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-26-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-34-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-38-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-42-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing