f76f53906f4af56d21e94820c5f263e83f7ad5b44b7a2fa75a33fb2aacf64fac

General

Target

d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe
Size

168KB
MD5

d3bc5b67a53b6d08886755aaa1df2da4
SHA1

c0d1a4b9d5bdcc7bb47ee0ca4324ec1c1f6dc801
SHA256

f76f53906f4af56d21e94820c5f263e83f7ad5b44b7a2fa75a33fb2aacf64fac
SHA512

fb6371c75aded502d5bbfb5ec72b5b558a947b4958922853dd9ba71c3c2e6198f2da41fd979b0d846a804646bbf252a02b011e82a9780cacfb23de2cc471828d
SSDEEP

3072:QwjmK0lZmJLSIfQy4ueKep31ndyp6W6RLeYwAEc9Z7XTadCoz79EFWFMqE8:QbNhI4y4ueK63VdI6W6RLfTEG70CozYs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2744	keygen.exe
2892	ic1.exe

Loads dropped DLL 6 IoCs

pid	Process
2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe
2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe
2744	keygen.exe
2744	keygen.exe
2744	keygen.exe
2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016307-3.dat	upx
behavioral1/memory/2316-4-0x0000000000F40000-0x0000000000FA0000-memory.dmp	upx
behavioral1/memory/2744-15-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2892-25-0x00000000004B0000-0x0000000000530000-memory.dmp	upx
behavioral1/memory/2744-30-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-31-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-33-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-34-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-35-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-36-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-37-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-38-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-39-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-40-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-41-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-42-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-43-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-44-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2744-45-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2744	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2744	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2744	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2744	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2744	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2744	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2744	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2892	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2892	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2892	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2892	2316	d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3bc5b67a53b6d08886755aaa1df2da4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\nsj8A19.tmp\keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj8A19.tmp\keygen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\nsj8A19.tmp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj8A19.tmp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsj8A19.tmp\ic1.exe

Filesize
18KB

MD5
b64b538899d4588a05d7d3db92918448

SHA1
b2d0b29a9c69bac6b22f696474eb031cca664f9a

SHA256
803abec016d53636f2817c972f2c769beb36501fc8bd30c73994958eb94cfb29

SHA512
ba4732c7a25dfdd636009a5ec8597e233c7c2b736b9c08a07dce13de70d9e0e08652b7f323ab590a29b57da12bf6a347675b2103bdfef06a80dbfd555ad09727

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8A19.tmp\keygen.exe

Filesize
125KB

MD5
8e9081cbbbe09c181fd16eeab67ddf6d

SHA1
25c7e8464f51d3ee511ba059d446b27004734562

SHA256
41fc5e08dad9818b2e6e815c3672a9554776207c40a441625aa39c8374e95569

SHA512
b99387681d1b0c9a23cd81589268da7406b0cf29f47847a125f444198cb588c7bae738c0aea34342419feff0805ae19259ffa0917f46ac8437c3cb2e97b58ada

Download Submit
memory/2316-4-0x0000000000F40000-0x0000000000FA0000-memory.dmp

Filesize
384KB

Download
memory/2744-40-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-36-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-16-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2744-45-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-44-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-30-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-31-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-43-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-33-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-34-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-35-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-17-0x0000000000240000-0x00000000002A0000-memory.dmp

Filesize
384KB

Download
memory/2744-37-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-38-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-39-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-41-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2744-42-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2892-32-0x00000000004B0000-0x0000000000530000-memory.dmp

Filesize
512KB

Download
memory/2892-26-0x000000001AF00000-0x000000001AF60000-memory.dmp

Filesize
384KB

Download
memory/2892-25-0x00000000004B0000-0x0000000000530000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing