d66c3d6aa4a0ed92db2569589242ec14e60bc5fc0a459242cd02f50c1af0b70b

General

Target

e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
Size

143KB
MD5

e257a039b60b287a30e4658ff14ceaa1
SHA1

b2f81dd80056acea62bb2202dd11d075b9e4e73d
SHA256

d66c3d6aa4a0ed92db2569589242ec14e60bc5fc0a459242cd02f50c1af0b70b
SHA512

27dbad4066e5786ba0274c164127d03df31d9e8be40f465aa3488cb93069679c3e5c923f52273d5ccc2854ece7f1e676f80045f24f89af092a8f70b7042489ae
SSDEEP

3072:rDCmErwR/+UIVnbsFC2W5C2BzG2lPwIfmbSBeRdJs:rDCFrwR/+7b0u5L0uPwIebDRA

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
1644	powershell.exe
2524	powershell.exe
2876	powershell.exe
2008	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2192	2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2192	2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2192	2196	e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe	28
PID 2192 wrote to memory of 1644	2192	cmd.exe	30
PID 2192 wrote to memory of 1644	2192	cmd.exe	30
PID 2192 wrote to memory of 1644	2192	cmd.exe	30
PID 2192 wrote to memory of 2524	2192	cmd.exe	31
PID 2192 wrote to memory of 2524	2192	cmd.exe	31
PID 2192 wrote to memory of 2524	2192	cmd.exe	31
PID 2192 wrote to memory of 2876	2192	cmd.exe	32
PID 2192 wrote to memory of 2876	2192	cmd.exe	32
PID 2192 wrote to memory of 2876	2192	cmd.exe	32
PID 2192 wrote to memory of 2008	2192	cmd.exe	33
PID 2192 wrote to memory of 2008	2192	cmd.exe	33
PID 2192 wrote to memory of 2008	2192	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e257a039b60b287a30e4658ff14ceaa1_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\system32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z6O5N4NX4RJUSUHCHOCI.temp

Filesize
7KB

MD5
92973342f619f463111c84ac617ad268

SHA1
8434549cc9442c7db8513169c617618e9b1e7d4f

SHA256
6bcf6d15b034780e73f861c7447b1daef4c8b0e7837233239213690e03c8705a

SHA512
42a926b0b2cd538c3c82e6a27f3542cc51a02a174cbc9cd2bf719caf3bbcbac50b589e8310fd598e3a75012a12b323fd2e0d7be06428361f2168a2ee64be6fab

Download Submit
memory/1644-13-0x000007FEF2EA0000-0x000007FEF383D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-12-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/1644-14-0x000007FEF2EA0000-0x000007FEF383D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-8-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/1644-9-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/1644-10-0x000007FEF2EA0000-0x000007FEF383D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-11-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/2008-46-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-47-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2008-53-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-49-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-50-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2008-51-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2008-52-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2008-48-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-2-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2196-1-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-15-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-3-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2196-0-0x000000013FC00000-0x000000013FC28000-memory.dmp

Filesize
160KB

Download
memory/2524-23-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2524-26-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2524-22-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-21-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2524-24-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2524-25-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2524-27-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-29-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-28-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2876-40-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-35-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-39-0x0000000002300000-0x0000000002380000-memory.dmp

Filesize
512KB

Download
memory/2876-38-0x0000000002300000-0x0000000002380000-memory.dmp

Filesize
512KB

Download
memory/2876-37-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-36-0x0000000002300000-0x0000000002380000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads