9413f7f8859ef6c1cdb503c2e9a6024a3f19a54cac1db0ec096c6ec79e173eab

General

Target

f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe
Size

376KB
MD5

f5a995829003dcd2ee5dc5adba1c0ef3
SHA1

af19f7825662fb91feb23f0fd263892e78e7a31b
SHA256

9413f7f8859ef6c1cdb503c2e9a6024a3f19a54cac1db0ec096c6ec79e173eab
SHA512

7bea118daa737ca99647f801f6fbd61e7022e6aaea5c9c60f242af1e8697443fc8331570d29c23aca21226dd24af58c6278a89a717fad78c831b51c060751818
SSDEEP

6144:Qv0aIIeONhHsCYCEiOuNoebhHFFAo3Tq08YbWOksvjQLcpk9pvEXCl3bl:Qv0aVnlsCYCVlFFdjq0lb/k29krD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3824	f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 3824	2964	f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1844	3824	WerFault.exe	89

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 4392	2964	f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe	86
PID 2964 wrote to memory of 4392	2964	f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe	86
PID 2964 wrote to memory of 4392	2964	f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe	86
PID 4392 wrote to memory of 2208	4392	csc.exe	88
PID 4392 wrote to memory of 2208	4392	csc.exe	88
PID 4392 wrote to memory of 2208	4392	csc.exe	88
PID 2964 wrote to memory of 3824	2964	f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe	89
PID 2964 wrote to memory of 3824	2964	f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe	89
PID 2964 wrote to memory of 3824	2964	f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe	89
PID 2964 wrote to memory of 3824	2964	f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yf-in11t.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8686.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8685.tmp"
    3⤵
    PID:2208
- C:\Users\Admin\AppData\Roaming\f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Roaming\f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 12
    3⤵
    - Program crash
    PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3824 -ip 3824
1⤵
PID:4332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8686.tmp

Filesize
1KB

MD5
edf61fcc1b8153b78f5f124509bc4a34

SHA1
1daaab231a4b9a37d51e2b57d7bc99c724becdbb

SHA256
53bbe7684f5e5514b47409426fb11b02c2cad314610d8bf4de60b7772bfe1112

SHA512
206efe32e26ad058518ceaad9d35850c3a85a474e14bd411b8606ec521c86491ab6b277041c3b29a534ac2b5b33ae4c23142ccbe2490c9f49f38e22ce4a228b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yf-in11t.dll

Filesize
5KB

MD5
6a8e58c49a8e4cf5f7c6acdcb61054ef

SHA1
5e34e11b07e6cd7ce87e5806d6296c78c160f542

SHA256
99ebb09dfb5297ddbc985cd0919dd344566e759b3205c7a7b43dd2dac242f5d7

SHA512
3b8f4aa3b109bf0023cac8e621b09ce70affc34236ec2bbeee65ed9209e8cfab76bb99230e887c5d76c68c1369e48c65823e7e2ce30f22f0b2726236dc581b92

Download Submit
C:\Users\Admin\AppData\Roaming\f5a995829003dcd2ee5dc5adba1c0ef3_JaffaCakes118.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8685.tmp

Filesize
652B

MD5
76ea3c0da22d1cd2de435320904b8f1e

SHA1
1df7e972d54b1cce19dc2aee228c0036d6a8f380

SHA256
d40d68f4005dbeb4a96c12eb5689589e3bab3a97d99f8675c83dbb48974242d9

SHA512
82a7eed78897631c138dfd0c94e9e76d0a878833d73652ea37a4166ab2f2ee04198aab271cca84a60a93e488130ad37cf5af60198868c961dfe7f4cf891fe346

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yf-in11t.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yf-in11t.cmdline

Filesize
206B

MD5
e77c051f0fcc5d4878dd62b778e697eb

SHA1
50c9c3a469144a95414a1606fb2147eb78d70867

SHA256
c879dbcad5076990f63c08aec04a7f5634f448da4080145f7e51759df96a7f14

SHA512
9f7b84e011eea12f64f4cb293caf9172c85e9233ec7fc004b4401f9058a38ef9b00fab9ab27cd204b2d5173cea4fdc408a489022183e107af79cacccc2677ed3

Download Submit
memory/2964-0-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/2964-2-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/2964-1-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/2964-22-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/4392-8-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing