dff68e4d171f74a2309b0602c6e91b3dcd3029c495644ddfe870dc2f415636d1

General

Target

f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe
Size

695KB
MD5

f154666c1217bffef4092f61ebfc60ca
SHA1

5fca2da5fc027c6fd98d08f40d9b9e66376f247a
SHA256

dff68e4d171f74a2309b0602c6e91b3dcd3029c495644ddfe870dc2f415636d1
SHA512

3c4f13a0bf9ffd91f20a52e3cc3b63fed22e9849ce41e2164bda798d412a43f1ec5b7d453dae616118a052bdfa5ca451fd81d9b0e2da70234a118580976d7691
SSDEEP

12288:BnzA7ECv7XX3cyvulm8hETUA0mnYWj+CgEyOvHHcclfxF3Z4mxxI9DPyfroyd7yb:RzLCv73cyvukUA0mYu+7OvcclfxQmXIL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2508	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe
File opened for modification	C:\Windows\svchost.exe	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2508	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3020	2508	svchost.exe	29
PID 2508 wrote to memory of 3020	2508	svchost.exe	29
PID 2508 wrote to memory of 3020	2508	svchost.exe	29
PID 2508 wrote to memory of 3020	2508	svchost.exe	29
PID 1900 wrote to memory of 2536	1900	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2536	1900	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2536	1900	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2536	1900	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2536	1900	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2536	1900	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2536	1900	f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f154666c1217bffef4092f61ebfc60ca_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2536

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
695KB

MD5
f154666c1217bffef4092f61ebfc60ca

SHA1
5fca2da5fc027c6fd98d08f40d9b9e66376f247a

SHA256
dff68e4d171f74a2309b0602c6e91b3dcd3029c495644ddfe870dc2f415636d1

SHA512
3c4f13a0bf9ffd91f20a52e3cc3b63fed22e9849ce41e2164bda798d412a43f1ec5b7d453dae616118a052bdfa5ca451fd81d9b0e2da70234a118580976d7691

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
805d1e2ed0cb7122bba861df5a79254b

SHA1
d648db3e5b49899eab9435434de09392a244299d

SHA256
1d4f0c08552ed3a27ae55de506bb530cf171cbeb67e88737e15aaec306add6f4

SHA512
33b4dde0b8783119d9a1121d8142d13d46150065e930882592069c3a8a5f532e0fb7523b98293092d943e940b71d770d832427c0b1d153b16908abb2600a5d7b

Download Submit
memory/1900-2-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1900-11-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/1900-8-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1900-7-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1900-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1900-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1900-4-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/1900-3-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1900-0-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1900-9-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/1900-10-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/1900-27-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/1900-26-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1900-1-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/2508-17-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2508-16-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2508-15-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2508-29-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2508-31-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing