ee6f3ffb067bcd7d37a5f6cb5cd3cfbbd88c5e21378dcf3dfecd03e46ed0abc5

General

Target

dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe
Size

132KB
MD5

dba84bbfc4dab5235d874824aff53a63
SHA1

b75e33058f4672c3f41131df3bfe8f3412101ccc
SHA256

ee6f3ffb067bcd7d37a5f6cb5cd3cfbbd88c5e21378dcf3dfecd03e46ed0abc5
SHA512

52e0b386a91c85ce73c1cc4af01c811123e0f8ec94125a5de1768c93ba6d3d3e847f17dc8ab8159b52d90ad76dcde6e78ee81f74d73e1603b16b9997d6de889a
SSDEEP

3072:aBoX2mRpMxBYIZpicIGHirXgBgSAO+rB9tuqVVxoEpQ6BDuiIn:aBiRmxBYIZphIGHirgBtO3VaEplI

Score

7^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000015f41-6.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2700	fNYJwPp.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mshtml.dll	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\mshtml.dllvRogB	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\mshtml.dll	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mshtml.dllvRogB	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mshtml.dll.mod	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mshtml.dll.mod	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vRogB.nCO	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe
File created	C:\Windows\fNYJwPp.exe	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe
File opened for modification	C:\Windows\fNYJwPp.exe	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	2776	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2776	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2700	2776	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2700	2776	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2700	2776	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2700	2776	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2900	2776	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe	32
PID 2776 wrote to memory of 2900	2776	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe	32
PID 2776 wrote to memory of 2900	2776	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe	32
PID 2776 wrote to memory of 2900	2776	dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dba84bbfc4dab5235d874824aff53a63_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\fNYJwPp.exe
  "C:\Windows\fNYJwPp.exe"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 284
  2⤵
  - Program crash
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ComECDF.tmp

Filesize
90KB

MD5
a80481c362f846a32d81acb18e61efaa

SHA1
cf19286eac0ec9b068de2d6bf5bb14096360824d

SHA256
cac3eba1cf85317f40b4d0562a24b977de64f24b62d7dc38ede77f42cb919da1

SHA512
9d68984a31cf5664edef6fe9428633357b8d17a52f886b0e3ca615b1105df5b7d0543d737f2e84df4bd0f406e96b9bd457c5fde8d0be4561ce06c9865c3bee89

Download Submit
C:\Windows\fNYJwPp.exe

Filesize
61KB

MD5
60bce59975382ad4db5236f54cd25398

SHA1
68524d9d22b46efb1d70c520dcf22f6fb3226e70

SHA256
a05fa4372519522868d9c49b3c5e1cc9064b69e8b437824daf8d9576f4c7769a

SHA512
9ca1f5f43098c8ec19a929d6f0359586c77e1dd0e5bba472341fa2dabd6cf673b50624429714402c4e03dad79533635da62552448a5248402ecb0f15af51beb1

Download Submit
memory/2700-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2776-13-0x0000000000690000-0x00000000006AF000-memory.dmp

Filesize
124KB

Download
memory/2776-12-0x0000000000690000-0x00000000006AF000-memory.dmp

Filesize
124KB

Download
memory/2776-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-44-0x0000000000690000-0x00000000006AF000-memory.dmp

Filesize
124KB

Download
memory/2776-45-0x0000000000690000-0x00000000006AF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing