330aa5695051cf9ef04b036ed42008a5300b0f357559cf59948de3d4bd86bda1

General

Target

8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
Size

564KB
MD5

8562ed564e8cbbea0a94c001692e65d2
SHA1

5607853daad67a939153614e37a7a990c7b8aeb5
SHA256

330aa5695051cf9ef04b036ed42008a5300b0f357559cf59948de3d4bd86bda1
SHA512

4a21cd228e6c42adf11540dc6e68c56b0a13d174e4dde1d38da5a09d0f2aae7e9388c6a6059129b5ef37693c7066d6836ed7a5758dd7f64f1c692cfe8f92565d
SSDEEP

12288:bmq1HjP6eP9huMI180UXAPOa2yM4UNuuegaNFTShd6PueC:bldjP6+ej4A2Xn+N0bD

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe

pid	process
2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2888 8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Local\Temp\8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
"{path}"
2⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
"{path}"
2⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
"{path}"
2⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
"{path}"
2⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
"{path}"
2⤵
PID:2592

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2888-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x00000000003D0000-0x0000000000464000-memory.dmp

Filesize
592KB

Download
memory/2888-2-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-3-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2888-4-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/2888-5-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-6-0x0000000002060000-0x00000000020C4000-memory.dmp

Filesize
400KB

Download
memory/2888-7-0x0000000004470000-0x00000000044BA000-memory.dmp

Filesize
296KB

Download
memory/2888-8-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2888 wrote to memory of 2620	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2620	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2620	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2620	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2608	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2608	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2608	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2608	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2104	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2104	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2104	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2104	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2832	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2832	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2832	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2832	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2592	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2592	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2592	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe
PID 2888 wrote to memory of 2592	2888	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe	8562ed564e8cbbea0a94c001692e65d2_JaffaCakes118.exe

Analysis

Sharing