e02b8490c6ff50b1adcfd4b05bb9a8a2dbc429510e03e3c9931f91fca733ed3e

General

Target

655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe
Size

6.0MB
MD5

655ad18ff0be681a1e8354d750ba304f
SHA1

945e01ef29385c0ccb9e2ba739b69e4efa7ec865
SHA256

e02b8490c6ff50b1adcfd4b05bb9a8a2dbc429510e03e3c9931f91fca733ed3e
SHA512

73a63294f647062d157f1d016c8878967fccb904ddfa43409bf11f6ef4a026484003b3595f732a2aa5ad5dfb1eed6d542f9d3eb3f4cf89f3283e1a6f87ad1015
SSDEEP

98304:PAH/7ocAJcRwsf1uaHLV+Qih2/wq/MBZA7qSrvOsxT4oP7nNGftndh:CUp+Rv5LV+QHDswiS7nNA

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2156	explorer.exe
2040	iexplore.exe

Loads dropped DLL 2 IoCs

pid	Process
1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe
1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-0-0x00000000003E0000-0x00000000004FF000-memory.dmp	upx
behavioral1/files/0x000d00000001227f-2.dat	upx
behavioral1/memory/1712-10-0x00000000027A0000-0x00000000028BF000-memory.dmp	upx
behavioral1/memory/2040-14-0x0000000000240000-0x000000000035F000-memory.dmp	upx
behavioral1/memory/2156-13-0x0000000001260000-0x000000000137F000-memory.dmp	upx
behavioral1/memory/2156-23-0x0000000001260000-0x000000000137F000-memory.dmp	upx
behavioral1/memory/1712-26-0x00000000003E0000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2040-27-0x0000000000240000-0x000000000035F000-memory.dmp	upx
behavioral1/memory/2040-49-0x0000000000240000-0x000000000035F000-memory.dmp	upx
behavioral1/memory/2040-62-0x0000000000240000-0x000000000035F000-memory.dmp	upx
behavioral1/memory/1712-64-0x00000000003E0000-0x00000000004FF000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe
1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
2040	iexplore.exe
2040	iexplore.exe
2040	iexplore.exe
2040	iexplore.exe
2156	explorer.exe
2156	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2156	1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2156	1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2156	1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2156	1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2040	1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe	31
PID 1712 wrote to memory of 2040	1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe	31
PID 1712 wrote to memory of 2040	1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe	31
PID 1712 wrote to memory of 2040	1712	655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2244	2156	explorer.exe	32
PID 2156 wrote to memory of 2244	2156	explorer.exe	32
PID 2156 wrote to memory of 2244	2156	explorer.exe	32
PID 2156 wrote to memory of 2244	2156	explorer.exe	32
PID 2040 wrote to memory of 2424	2040	iexplore.exe	35
PID 2040 wrote to memory of 2424	2040	iexplore.exe	35
PID 2040 wrote to memory of 2424	2040	iexplore.exe	35
PID 2040 wrote to memory of 2424	2040	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\655ad18ff0be681a1e8354d750ba304f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=0
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1736.bat"
    3⤵
    PID:2244
- C:\Users\Admin\AppData\Local\Temp\iexplore.exe
  "C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2180.bat"
    3⤵
    PID:2424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1736.bat

Filesize
182B

MD5
d9d1b923eee4adb7310075384d03f1cb

SHA1
6a055e4c6af98a90ca621cc30143e96706e6c89a

SHA256
f1aad3bc7dfb98d087b7a25a6e0eb32a2f6f8b2d1a3548647d7bda389cc278a3

SHA512
8b717f9262d545e1df4a676605e05ea15b4291d37e5e6f1097170af2a5b4ffe1f5e58ec815138aefc7cd8ef2c022a7c3d05b80f344412a668b5670964593a2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2180.bat

Filesize
182B

MD5
4409e2214e2f6018312292d30c1ffc98

SHA1
b1e6328d36384386fa7451ccf3790df7dd9a08fb

SHA256
65882844b7545f6f756f610d78fea45176218f7de6b0277f1ac5fe47fbb6b935

SHA512
ff401a374378c1aea3c751321e39ad380815620f93b7d7d74e311e016af9785e0b94bb31facac78b00fc8ed9bad162ef0ff3cc5d3a8c50696ff24c71b5570a6c

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
6.0MB

MD5
655ad18ff0be681a1e8354d750ba304f

SHA1
945e01ef29385c0ccb9e2ba739b69e4efa7ec865

SHA256
e02b8490c6ff50b1adcfd4b05bb9a8a2dbc429510e03e3c9931f91fca733ed3e

SHA512
73a63294f647062d157f1d016c8878967fccb904ddfa43409bf11f6ef4a026484003b3595f732a2aa5ad5dfb1eed6d542f9d3eb3f4cf89f3283e1a6f87ad1015

Download Submit
memory/1712-10-0x00000000027A0000-0x00000000028BF000-memory.dmp

Filesize
1.1MB

Download
memory/1712-0-0x00000000003E0000-0x00000000004FF000-memory.dmp

Filesize
1.1MB

Download
memory/1712-26-0x00000000003E0000-0x00000000004FF000-memory.dmp

Filesize
1.1MB

Download
memory/1712-11-0x00000000027A0000-0x00000000028BF000-memory.dmp

Filesize
1.1MB

Download
memory/1712-64-0x00000000003E0000-0x00000000004FF000-memory.dmp

Filesize
1.1MB

Download
memory/2040-14-0x0000000000240000-0x000000000035F000-memory.dmp

Filesize
1.1MB

Download
memory/2040-27-0x0000000000240000-0x000000000035F000-memory.dmp

Filesize
1.1MB

Download
memory/2040-49-0x0000000000240000-0x000000000035F000-memory.dmp

Filesize
1.1MB

Download
memory/2040-62-0x0000000000240000-0x000000000035F000-memory.dmp

Filesize
1.1MB

Download
memory/2156-13-0x0000000001260000-0x000000000137F000-memory.dmp

Filesize
1.1MB

Download
memory/2156-23-0x0000000001260000-0x000000000137F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing