4316ccfc7d2509ffcb2ed35efcb054dbbcc5d31c3d0002b29ec385d12c78e8a6

General

Target

a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe
Size

6.9MB
MD5

a8485e65dbcec636abd54112746c82a2
SHA1

1f2c655bc6ce5c59f3a573ef28ef5a519742fb27
SHA256

4316ccfc7d2509ffcb2ed35efcb054dbbcc5d31c3d0002b29ec385d12c78e8a6
SHA512

25d4337952206994cd6b805665a6311314d055fa48266991a8afc05ea5b36de327566990851e08d5355ec7fbfa775bd34f6a71fff34a7344d5e850093ebeeb74
SSDEEP

196608:V8hzWbjm+phyo0JXZ8XcL4j+1dBjqjrO1t23CogRC9flGV:Vpba+HyJqkoWEjrOzogaflm

Score

7^/10

aspackv2 discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234d8-15.dat	acprotect
behavioral2/files/0x00070000000234d9-16.dat	acprotect
behavioral2/files/0x00070000000234dc-21.dat	acprotect
behavioral2/files/0x00070000000234db-24.dat	acprotect
behavioral2/files/0x00070000000234da-22.dat	acprotect
behavioral2/files/0x00070000000234de-14.dat	acprotect
behavioral2/files/0x00070000000234dd-12.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00070000000234df-8.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1432	vmde.exe

Loads dropped DLL 8 IoCs

pid	Process
1432	vmde.exe
1432	vmde.exe
1432	vmde.exe
1432	vmde.exe
1432	vmde.exe
1432	vmde.exe
1432	vmde.exe
1432	vmde.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234d8-15.dat	upx
behavioral2/files/0x00070000000234d9-16.dat	upx
behavioral2/files/0x00070000000234dc-21.dat	upx
behavioral2/files/0x00070000000234db-24.dat	upx
behavioral2/files/0x00070000000234da-22.dat	upx
behavioral2/memory/1432-20-0x000000007C340000-0x000000007C3A0000-memory.dmp	upx
behavioral2/files/0x00070000000234de-14.dat	upx
behavioral2/files/0x00070000000234dd-12.dat	upx
behavioral2/memory/1432-28-0x0000000067000000-0x0000000067226000-memory.dmp	upx
behavioral2/memory/1432-29-0x0000000010000000-0x000000001050D000-memory.dmp	upx
behavioral2/memory/1432-30-0x0000000001080000-0x0000000001131000-memory.dmp	upx
behavioral2/memory/1432-31-0x0000000065000000-0x00000000657B3000-memory.dmp	upx
behavioral2/memory/1432-33-0x0000000064000000-0x00000000640DB000-memory.dmp	upx
behavioral2/memory/1432-32-0x000000007C3A0000-0x000000007C45A000-memory.dmp	upx
behavioral2/memory/1432-34-0x0000000067000000-0x0000000067226000-memory.dmp	upx
behavioral2/memory/1432-43-0x000000007C340000-0x000000007C3A0000-memory.dmp	upx
behavioral2/memory/1432-41-0x0000000065000000-0x00000000657B3000-memory.dmp	upx
behavioral2/memory/1432-87-0x0000000067000000-0x0000000067226000-memory.dmp	upx
behavioral2/memory/1432-95-0x0000000067000000-0x0000000067226000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmde.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 1432	3216	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe	85
PID 3216 wrote to memory of 1432	3216	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe	85
PID 3216 wrote to memory of 1432	3216	a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8485e65dbcec636abd54112746c82a2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\vmde.exe
  vmde.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\QtNetwork4.dll

Filesize
262KB

MD5
0f10df8cc40af94df4c7d3886781fcfe

SHA1
8de6ea60e927800b8ef1cd87f38fca3729991ae8

SHA256
f523ff1b10c2f838a16ef6e938b83ebfc3a0fdbf2a861b1d3a48e95a34db4ee4

SHA512
66db96f7752e0c06ac51ad52b47a714126d21146621d646b6c3d15a2833b10ec1ebffc9096d6252db117166756113992f74fe1d5e26f257a67a98c044a98a70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\blas_win32.dll

Filesize
213KB

MD5
e1509181fa99abefb771109d82bd9a62

SHA1
2e3d9ec7eb032efeb2a3d44ce7f5655024698f80

SHA256
1e7150d26f7a1ea432edcd5cd28e7eaefeedc51448fc0d2acbea1f40a07206d3

SHA512
baaece000533726acadc569cbf1ee82278b429e8f435bcb9a444f245d029659309f2986da05ce80be1c6b967cc2f2d3058599089b453d12327aaa15297eb4d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\lapack_win32.dll

Filesize
1.1MB

MD5
8dc987990b1f48c6790ead6528996914

SHA1
dfb85da28ea9d29cb7039c998c82efd19f137089

SHA256
0ff67e9bd549f0cf4c0bf0299fc37694ef67c33c5cd32f37c1f0ae6b93466f89

SHA512
155f69ab77614c5a4463641ef72d94c959a6598369c08cfaea151f0aaf3a4d51c2ceb0924c559780e4158c4883f6fda8dbfd30e6ecb97319d655c977b54738b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\msvcp71.dll

Filesize
291KB

MD5
5f38087a4fb737444b16eef179bf1551

SHA1
0518f6196fdb8be025746ec342d0ba239a37aeee

SHA256
2e5e3a3377cff2d740cff4d4cead3abff20381016f8f41a783e0f3c8d9d5ad10

SHA512
5f8c4f97dbc053c23cdeebd7344a780df008fd32f1c3f2b7df605e6213e3f75e8a2ea82a230463f9392237ea672627d612638d6745ba545e863aa57c757ef032

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\msvcr71.dll

Filesize
152KB

MD5
ba5dde4ba6e5063708ff9a748ea0f134

SHA1
3d5d8e8fe1ec5257fd753b835cc623ec2fcf24c3

SHA256
ced07ca0854b8235102098c37820af8b61ead44248097523bf4490b521b1ce0b

SHA512
c1f54e64ca92c6d490c85f6ea1583fcbf876ff87609bd25313daa4fe474f60a29cf7b55ff6727276a5c41c6018f89dee2d80f238233c2b6ecf3f85d61bcee76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\qtcore4.dll

Filesize
717KB

MD5
0f5ab45c176691d232007c469b5c8793

SHA1
529e80ff917b1911af47d470a0062a8866778e99

SHA256
2de1e3685c117fc5c5352d79bd41b7ef431d78a4be5547f18fd3f17b372c3a41

SHA512
9108490b5f7881c5d66adb1281b62a56045e6d1d2ab4280046bf8e3f47b14f479838042a96da3300013521fce1166930919a5301921c3f1318def97c31a3fd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\qtgui4.dll

Filesize
2.7MB

MD5
b8214751b658c83cd70deb08870edc1e

SHA1
d18b424abcf22c7baa727c42264f47a47b4e1d39

SHA256
410105d8b87a0a0541d6a12a150e2b30b7122457e05bfc4410e25d7870811d84

SHA512
e205de4d77f63d09fa55f02593ed045fa9be5bec03eb23b0866c5e532c36171f04cce12dccb7d00d5d095e016257a743ce364a54b5c48a868be4702810285681

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSISSFX\VectorMagic\vmde.exe

Filesize
2.5MB

MD5
36bf89a20893d955413199842bba9a11

SHA1
cefe4ca8e011d135da8a13f6d9c9057a400d7c4a

SHA256
6f1ae21dd65e1e6d19f5dcf9a1e25bc0fcc24d5d3dfa2705b3c8ec1bb943333b

SHA512
c7902b2af47a082766496a9af6b931f9089792a55fbe81b454b9c5309e72f162845801b5fa673126d4d9323500c46530c490131d56dae04fd1c8a48e0be020a1

Download Submit
memory/1432-28-0x0000000067000000-0x0000000067226000-memory.dmp

Filesize
2.1MB

Download
memory/1432-32-0x000000007C3A0000-0x000000007C45A000-memory.dmp

Filesize
744KB

Download
memory/1432-20-0x000000007C340000-0x000000007C3A0000-memory.dmp

Filesize
384KB

Download
memory/1432-29-0x0000000010000000-0x000000001050D000-memory.dmp

Filesize
5.1MB

Download
memory/1432-30-0x0000000001080000-0x0000000001131000-memory.dmp

Filesize
708KB

Download
memory/1432-31-0x0000000065000000-0x00000000657B3000-memory.dmp

Filesize
7.7MB

Download
memory/1432-33-0x0000000064000000-0x00000000640DB000-memory.dmp

Filesize
876KB

Download
memory/1432-17-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/1432-34-0x0000000067000000-0x0000000067226000-memory.dmp

Filesize
2.1MB

Download
memory/1432-43-0x000000007C340000-0x000000007C3A0000-memory.dmp

Filesize
384KB

Download
memory/1432-41-0x0000000065000000-0x00000000657B3000-memory.dmp

Filesize
7.7MB

Download
memory/1432-35-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/1432-87-0x0000000067000000-0x0000000067226000-memory.dmp

Filesize
2.1MB

Download
memory/1432-95-0x0000000067000000-0x0000000067226000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing