4316ccfc7d2509ffcb2ed35efcb054dbbcc5d31c3d0002b29ec385d12c78e8a6

General

Target

a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe
Size

6.9MB
MD5

a8485e65dbcec636abd54112746c82a2
SHA1

1f2c655bc6ce5c59f3a573ef28ef5a519742fb27
SHA256

4316ccfc7d2509ffcb2ed35efcb054dbbcc5d31c3d0002b29ec385d12c78e8a6
SHA512

25d4337952206994cd6b805665a6311314d055fa48266991a8afc05ea5b36de327566990851e08d5355ec7fbfa775bd34f6a71fff34a7344d5e850093ebeeb74
SSDEEP

196608:V8hzWbjm+phyo0JXZ8XcL4j+1dBjqjrO1t23CogRC9flGV:Vpba+HyJqkoWEjrOzogaflm

Score

7^/10

aspackv2 discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000800000001879f-16.dat	acprotect
behavioral1/files/0x0006000000018736-29.dat	acprotect
behavioral1/files/0x000600000001878c-31.dat	acprotect
behavioral1/files/0x000600000001877f-36.dat	acprotect
behavioral1/files/0x00070000000186f7-28.dat	acprotect
behavioral1/files/0x00070000000186e4-21.dat	acprotect
behavioral1/files/0x0008000000018bfc-19.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00050000000194a1-8.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1924	vmde.exe

Loads dropped DLL 12 IoCs

pid	Process
2552	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe
2552	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe
1924	vmde.exe
1924	vmde.exe
1924	vmde.exe
1924	vmde.exe
1924	vmde.exe
1924	vmde.exe
1924	vmde.exe
1924	vmde.exe
1924	vmde.exe
1924	vmde.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001879f-16.dat	upx
behavioral1/memory/1924-25-0x0000000067000000-0x0000000067226000-memory.dmp	upx
behavioral1/memory/1924-27-0x000000007C3A0000-0x000000007C45A000-memory.dmp	upx
behavioral1/files/0x0006000000018736-29.dat	upx
behavioral1/files/0x000600000001878c-31.dat	upx
behavioral1/memory/1924-33-0x0000000064000000-0x00000000640DB000-memory.dmp	upx
behavioral1/files/0x000600000001877f-36.dat	upx
behavioral1/memory/1924-41-0x0000000010000000-0x000000001050D000-memory.dmp	upx
behavioral1/memory/1924-45-0x0000000000230000-0x00000000002E1000-memory.dmp	upx
behavioral1/memory/1924-32-0x0000000065000000-0x00000000657B3000-memory.dmp	upx
behavioral1/files/0x00070000000186f7-28.dat	upx
behavioral1/memory/1924-24-0x000000007C340000-0x000000007C3A0000-memory.dmp	upx
behavioral1/files/0x00070000000186e4-21.dat	upx
behavioral1/files/0x0008000000018bfc-19.dat	upx
behavioral1/memory/1924-46-0x000000007C340000-0x000000007C3A0000-memory.dmp	upx
behavioral1/memory/1924-47-0x0000000067000000-0x0000000067226000-memory.dmp	upx
behavioral1/memory/1924-48-0x000000007C3A0000-0x000000007C45A000-memory.dmp	upx
behavioral1/memory/1924-49-0x0000000065000000-0x00000000657B3000-memory.dmp	upx
behavioral1/memory/1924-50-0x0000000064000000-0x00000000640DB000-memory.dmp	upx
behavioral1/memory/1924-51-0x0000000010000000-0x000000001050D000-memory.dmp	upx
behavioral1/memory/1924-60-0x0000000000230000-0x00000000002E1000-memory.dmp	upx
behavioral1/memory/1924-55-0x0000000067000000-0x0000000067226000-memory.dmp	upx
behavioral1/memory/1924-104-0x0000000067000000-0x0000000067226000-memory.dmp	upx
behavioral1/memory/1924-113-0x0000000067000000-0x0000000067226000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmde.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1924	2552	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1924	2552	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1924	2552	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1924	2552	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1924	2552	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1924	2552	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1924	2552	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\vmde.exe
  vmde.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\lapack_win32.dll

Filesize
1.1MB

MD5
8dc987990b1f48c6790ead6528996914

SHA1
dfb85da28ea9d29cb7039c998c82efd19f137089

SHA256
0ff67e9bd549f0cf4c0bf0299fc37694ef67c33c5cd32f37c1f0ae6b93466f89

SHA512
155f69ab77614c5a4463641ef72d94c959a6598369c08cfaea151f0aaf3a4d51c2ceb0924c559780e4158c4883f6fda8dbfd30e6ecb97319d655c977b54738b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\msvcp71.dll

Filesize
291KB

MD5
5f38087a4fb737444b16eef179bf1551

SHA1
0518f6196fdb8be025746ec342d0ba239a37aeee

SHA256
2e5e3a3377cff2d740cff4d4cead3abff20381016f8f41a783e0f3c8d9d5ad10

SHA512
5f8c4f97dbc053c23cdeebd7344a780df008fd32f1c3f2b7df605e6213e3f75e8a2ea82a230463f9392237ea672627d612638d6745ba545e863aa57c757ef032

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\qtnetwork4.dll

Filesize
262KB

MD5
0f10df8cc40af94df4c7d3886781fcfe

SHA1
8de6ea60e927800b8ef1cd87f38fca3729991ae8

SHA256
f523ff1b10c2f838a16ef6e938b83ebfc3a0fdbf2a861b1d3a48e95a34db4ee4

SHA512
66db96f7752e0c06ac51ad52b47a714126d21146621d646b6c3d15a2833b10ec1ebffc9096d6252db117166756113992f74fe1d5e26f257a67a98c044a98a70d

Download Submit
\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\QtCore4.dll

Filesize
717KB

MD5
0f5ab45c176691d232007c469b5c8793

SHA1
529e80ff917b1911af47d470a0062a8866778e99

SHA256
2de1e3685c117fc5c5352d79bd41b7ef431d78a4be5547f18fd3f17b372c3a41

SHA512
9108490b5f7881c5d66adb1281b62a56045e6d1d2ab4280046bf8e3f47b14f479838042a96da3300013521fce1166930919a5301921c3f1318def97c31a3fd21

Download Submit
\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\QtGui4.dll

Filesize
2.7MB

MD5
b8214751b658c83cd70deb08870edc1e

SHA1
d18b424abcf22c7baa727c42264f47a47b4e1d39

SHA256
410105d8b87a0a0541d6a12a150e2b30b7122457e05bfc4410e25d7870811d84

SHA512
e205de4d77f63d09fa55f02593ed045fa9be5bec03eb23b0866c5e532c36171f04cce12dccb7d00d5d095e016257a743ce364a54b5c48a868be4702810285681

Download Submit
\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\blas_win32.dll

Filesize
213KB

MD5
e1509181fa99abefb771109d82bd9a62

SHA1
2e3d9ec7eb032efeb2a3d44ce7f5655024698f80

SHA256
1e7150d26f7a1ea432edcd5cd28e7eaefeedc51448fc0d2acbea1f40a07206d3

SHA512
baaece000533726acadc569cbf1ee82278b429e8f435bcb9a444f245d029659309f2986da05ce80be1c6b967cc2f2d3058599089b453d12327aaa15297eb4d20

Download Submit
\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\msvcr71.dll

Filesize
152KB

MD5
ba5dde4ba6e5063708ff9a748ea0f134

SHA1
3d5d8e8fe1ec5257fd753b835cc623ec2fcf24c3

SHA256
ced07ca0854b8235102098c37820af8b61ead44248097523bf4490b521b1ce0b

SHA512
c1f54e64ca92c6d490c85f6ea1583fcbf876ff87609bd25313daa4fe474f60a29cf7b55ff6727276a5c41c6018f89dee2d80f238233c2b6ecf3f85d61bcee76a

Download Submit
\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\vmde.exe

Filesize
2.5MB

MD5
36bf89a20893d955413199842bba9a11

SHA1
cefe4ca8e011d135da8a13f6d9c9057a400d7c4a

SHA256
6f1ae21dd65e1e6d19f5dcf9a1e25bc0fcc24d5d3dfa2705b3c8ec1bb943333b

SHA512
c7902b2af47a082766496a9af6b931f9089792a55fbe81b454b9c5309e72f162845801b5fa673126d4d9323500c46530c490131d56dae04fd1c8a48e0be020a1

Download Submit
memory/1924-33-0x0000000064000000-0x00000000640DB000-memory.dmp

Filesize
876KB

Download
memory/1924-46-0x000000007C340000-0x000000007C3A0000-memory.dmp

Filesize
384KB

Download
memory/1924-41-0x0000000010000000-0x000000001050D000-memory.dmp

Filesize
5.1MB

Download
memory/1924-43-0x0000000001080000-0x00000000016D7000-memory.dmp

Filesize
6.3MB

Download
memory/1924-45-0x0000000000230000-0x00000000002E1000-memory.dmp

Filesize
708KB

Download
memory/1924-44-0x0000000001080000-0x00000000016D7000-memory.dmp

Filesize
6.3MB

Download
memory/1924-42-0x0000000001080000-0x00000000016D7000-memory.dmp

Filesize
6.3MB

Download
memory/1924-32-0x0000000065000000-0x00000000657B3000-memory.dmp

Filesize
7.7MB

Download
memory/1924-25-0x0000000067000000-0x0000000067226000-memory.dmp

Filesize
2.1MB

Download
memory/1924-113-0x0000000067000000-0x0000000067226000-memory.dmp

Filesize
2.1MB

Download
memory/1924-24-0x000000007C340000-0x000000007C3A0000-memory.dmp

Filesize
384KB

Download
memory/1924-23-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/1924-104-0x0000000067000000-0x0000000067226000-memory.dmp

Filesize
2.1MB

Download
memory/1924-27-0x000000007C3A0000-0x000000007C45A000-memory.dmp

Filesize
744KB

Download
memory/1924-47-0x0000000067000000-0x0000000067226000-memory.dmp

Filesize
2.1MB

Download
memory/1924-48-0x000000007C3A0000-0x000000007C45A000-memory.dmp

Filesize
744KB

Download
memory/1924-49-0x0000000065000000-0x00000000657B3000-memory.dmp

Filesize
7.7MB

Download
memory/1924-50-0x0000000064000000-0x00000000640DB000-memory.dmp

Filesize
876KB

Download
memory/1924-51-0x0000000010000000-0x000000001050D000-memory.dmp

Filesize
5.1MB

Download
memory/1924-52-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/1924-60-0x0000000000230000-0x00000000002E1000-memory.dmp

Filesize
708KB

Download
memory/1924-55-0x0000000067000000-0x0000000067226000-memory.dmp

Filesize
2.1MB

Download
memory/2552-15-0x0000000002D80000-0x00000000033D7000-memory.dmp

Filesize
6.3MB

Download
memory/2552-109-0x0000000002D80000-0x00000000033D7000-memory.dmp

Filesize
6.3MB

Download
memory/2552-26-0x0000000002D80000-0x00000000033D7000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing