360937ebd64a55d6af261f7142b1494537534fdab4624eb39fc13f92898fa90a

General

Target

65ee8d252127a1222bbba889ce0e47e8_JaffaCakes118.exe
Size

653KB
MD5

65ee8d252127a1222bbba889ce0e47e8
SHA1

d0a415de772206da8c4c9b8abd86420b92446094
SHA256

360937ebd64a55d6af261f7142b1494537534fdab4624eb39fc13f92898fa90a
SHA512

375c4a69424e1027502d6899c7d64f51165419a399a2f6ea13753d0e4548793adcef541530840b7d1f78d256e3e55e63c3e701816ded7a3871f92c2ed03003c8
SSDEEP

12288:oRFj6EhxNTSHMfTFHh2CoQKqfyigeiJ8UcxkVzrUqzEPoYxfkKbzP:LEhPSHMdhXoQKqfyf8jx6r1z1akkP

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
396	dcf.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2340-17-0x0000000000400000-0x00000000004CA000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2340-17-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
396	dcf.exe
396	dcf.exe
396	dcf.exe
396	dcf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 396	2340	65ee8d252127a1222bbba889ce0e47e8_JaffaCakes118.exe	83
PID 2340 wrote to memory of 396	2340	65ee8d252127a1222bbba889ce0e47e8_JaffaCakes118.exe	83
PID 2340 wrote to memory of 396	2340	65ee8d252127a1222bbba889ce0e47e8_JaffaCakes118.exe	83
PID 396 wrote to memory of 3456	396	dcf.exe	56
PID 396 wrote to memory of 3456	396	dcf.exe	56
PID 396 wrote to memory of 3456	396	dcf.exe	56
PID 396 wrote to memory of 3456	396	dcf.exe	56
PID 396 wrote to memory of 3456	396	dcf.exe	56
PID 396 wrote to memory of 3456	396	dcf.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\65ee8d252127a1222bbba889ce0e47e8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\65ee8d252127a1222bbba889ce0e47e8_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\dcf.exe
    C:\Users\Admin\AppData\Local\Temp/dcf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dcf.exe

Filesize
200KB

MD5
9fd745e5becdc74e00624c3974d6e076

SHA1
6e0def97f937095694735fce11590be7a4a19fde

SHA256
e929b00f66e9b0bdfc01f693ad5cbe5d2e3cb24158dc0a815dd604f1e4c2b8a8

SHA512
d64421b10aab2fbad15a769a73cd577f27dd05f074776dc9283c673354312357bcb59d99eab02dff4e31962be1f05dd815ea9533b766970800dcdf5c9630e8a6

Download Submit
memory/396-25-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-35-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-44-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-43-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/396-36-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-38-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-39-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-37-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-31-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-24-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/396-27-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-28-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-30-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-26-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-32-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/396-23-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/2340-6-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/2340-18-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/2340-20-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/2340-17-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2340-3-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/2340-0-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2340-21-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/2340-2-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2340-19-0x0000000000990000-0x00000000009CD000-memory.dmp

Filesize
244KB

Download
memory/2340-8-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/2340-9-0x0000000075080000-0x0000000075170000-memory.dmp

Filesize
960KB

Download
memory/2340-5-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/2340-1-0x0000000000990000-0x00000000009CD000-memory.dmp

Filesize
244KB

Download
memory/2340-7-0x00000000750A0000-0x00000000750A1000-memory.dmp

Filesize
4KB

Download
memory/2340-4-0x00000000771A2000-0x00000000771A3000-memory.dmp

Filesize
4KB

Download
memory/3456-34-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/3456-29-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing