9e1e1e8f9d55e081d5b62de6a800ec97e2639a2c6b9aeef2a0283db23f861b44

General

Target

f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe
Size

209KB
MD5

f2f8bb7a2f0403bde6b7cb93224a2b51
SHA1

3b22d749ffb7287720ed84fc7f53e27604a8d249
SHA256

9e1e1e8f9d55e081d5b62de6a800ec97e2639a2c6b9aeef2a0283db23f861b44
SHA512

0b9630268de8fa85c30ce9c1ba074e5cecebc6eeb8f9bf3f722ebf026b8a6f87c135297d78c291faf4d3ab4299e4ba16fe8a330f11b0042b2e0a69f91b10a7fc
SSDEEP

3072:OaA9B49NE+V6t7hlAAxLaPqnsV5CVi7UIUtZfnHUfaF2tbHB/mvgRJlI6Cio2amT:OXYNE8Crq9VW2Gfn8aktL88Y6CioHm7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2492 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

340 csrss.exe
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 94.242.250.64
Destination IP 94.242.250.64
Destination IP 94.242.250.64
Destination IP 94.242.250.64
Drops desktop.ini file(s) 2 IoCs

Processes:

csrss.exe

description ioc process

File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe
File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe

description pid process target process

PID 1720 set thread context of 2492 1720 f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe cmd.exe

pid	process
2492	cmd.exe

pid	process
340	csrss.exe

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

description	ioc	process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

description	pid	process	target process
PID 1720 set thread context of 2492	1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.execsrss.exe

pid	process
1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe
1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe
1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe
1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe
340	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe
Token: SeDebugPrivilege	1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

csrss.exe

pid process

340 csrss.exe

pid	process
340	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.execsrss.exe

description	pid	process	target process
PID 1720 wrote to memory of 1204	1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe	Explorer.EXE
PID 1720 wrote to memory of 340	1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe	csrss.exe
PID 1720 wrote to memory of 2492	1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe	cmd.exe
PID 1720 wrote to memory of 2492	1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe	cmd.exe
PID 1720 wrote to memory of 2492	1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe	cmd.exe
PID 1720 wrote to memory of 2492	1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe	cmd.exe
PID 1720 wrote to memory of 2492	1720	f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe	cmd.exe
PID 340 wrote to memory of 2580	340	csrss.exe	WMIADAP.EXE
PID 340 wrote to memory of 2580	340	csrss.exe	WMIADAP.EXE
PID 340 wrote to memory of 2144	340	csrss.exe	wmiprvse.exe
PID 340 wrote to memory of 2144	340	csrss.exe	wmiprvse.exe
PID 340 wrote to memory of 868	340	csrss.exe	svchost.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:868
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2580

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f2f8bb7a2f0403bde6b7cb93224a2b51_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2492

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
1156037f349da3f50274a540fd5d84a7

SHA1
3b3df4533a44a70c86d376d62005a2d1efe69db6

SHA256
2a9020d473ce8db389649b0b7f882581bb26bdc24078535027137e0b1e677bf7

SHA512
43342b4929e03166a45496ffbd9ac13a3d48d0b2637f48f6a950be17e1cd421653fe31b3197311995472e213139cb46b226bf5a5dd6a011103837659ff90035c

Download Submit
memory/340-31-0x0000000000E40000-0x0000000000E51000-memory.dmp

Filesize
68KB

Download
memory/340-24-0x0000000000E40000-0x0000000000E51000-memory.dmp

Filesize
68KB

Download
memory/340-30-0x0000000002970000-0x0000000002972000-memory.dmp

Filesize
8KB

Download
memory/340-22-0x0000000000E40000-0x0000000000E51000-memory.dmp

Filesize
68KB

Download
memory/868-45-0x0000000000D60000-0x0000000000D6B000-memory.dmp

Filesize
44KB

Download
memory/868-43-0x0000000000D60000-0x0000000000D6B000-memory.dmp

Filesize
44KB

Download
memory/868-42-0x0000000000D50000-0x0000000000D5B000-memory.dmp

Filesize
44KB

Download
memory/868-38-0x0000000000D50000-0x0000000000D5B000-memory.dmp

Filesize
44KB

Download
memory/868-34-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/868-33-0x0000000000D50000-0x0000000000D5B000-memory.dmp

Filesize
44KB

Download
memory/868-46-0x0000000000D60000-0x0000000000D6B000-memory.dmp

Filesize
44KB

Download
memory/1204-15-0x0000000002980000-0x0000000002986000-memory.dmp

Filesize
24KB

Download
memory/1204-16-0x0000000002970000-0x0000000002972000-memory.dmp

Filesize
8KB

Download
memory/1204-11-0x0000000002980000-0x0000000002986000-memory.dmp

Filesize
24KB

Download
memory/1204-7-0x0000000002980000-0x0000000002986000-memory.dmp

Filesize
24KB

Download
memory/1720-29-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1720-26-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1720-28-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1720-27-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1720-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1720-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1720-5-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1720-4-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1720-3-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1720-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads