673bed05a0caf94c9158c96232ea78a37fb57f08b35ba2336825987f094313d3

General

Target

e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
Size

473KB
MD5

e9859c2d23a7506437def96c67cd0e6f
SHA1

07182c463019a709bd2fa01504c986ad8283f1a6
SHA256

673bed05a0caf94c9158c96232ea78a37fb57f08b35ba2336825987f094313d3
SHA512

3bebd3880f0549b625ebb9d0d646e6c5b7f3308197c6bdaafca34d04adfb6325b0692b5b6cb44395fa77c90048a34f0d9237c509cc9e78ceebda0fafb0ec8ef8
SSDEEP

6144:YwNAATRfk/ZPCq28iGEJzKWHE5YA32cqT00zzQL+hQ5pU4OHEwwC7nPkoqHJFuZp:3rd+PpiGEJOMMQTSAemzJ7jkoqpssQh

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe

pid	process
5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 5084 e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:3568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5084-1-0x0000000000690000-0x000000000070C000-memory.dmp

Filesize
496KB

Download
memory/5084-0-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/5084-2-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/5084-3-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/5084-4-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/5084-5-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/5084-6-0x0000000005100000-0x0000000005108000-memory.dmp

Filesize
32KB

Download
memory/5084-7-0x00000000061F0000-0x000000000628C000-memory.dmp

Filesize
624KB

Download
memory/5084-8-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/5084-9-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/5084-10-0x0000000006880000-0x000000000690A000-memory.dmp

Filesize
552KB

Download
memory/5084-11-0x0000000008D50000-0x0000000008D94000-memory.dmp

Filesize
272KB

Download
memory/5084-13-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 5084 wrote to memory of 2832	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 2832	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 2832	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 2976	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 2976	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 2976	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 1560	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 1560	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 1560	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 2788	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 2788	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 2788	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 3568	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 3568	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe
PID 5084 wrote to memory of 3568	5084	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe	e9859c2d23a7506437def96c67cd0e6f_JaffaCakes118.exe

Analysis

Sharing