0a1f2621b58e3e5fae881db92e2441bca2e8b0077df7e3a74defd1e694e85bff

Analysis

max time kernel
138s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 20:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe
Size

216KB
MD5

005d20edcc90e9234e3b42a893b7f7af
SHA1

6c924e1522c349b791b0ae1e7a3e799ae3035136
SHA256

0a1f2621b58e3e5fae881db92e2441bca2e8b0077df7e3a74defd1e694e85bff
SHA512

90a5f2ae7857e194baa9590ec4f3824ce913dd8b514c964ec34939cb4bf8f37cb7e1e56aa6299ca882f2478c8d4f26a54fb549ef6ef5439a5c81c9cabc8fbd05
SSDEEP

3072:Qdvyk8v4e7lXJj7iV7wMcIFbEym6YrDnfqav1R7a/C:9k8QeZVIw54EBjD71RW/C

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 2564	1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe
1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe
1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe
1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1312	1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe	21
PID 1936 wrote to memory of 336	1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe	2
PID 1936 wrote to memory of 2564	1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2564	1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2564	1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2564	1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2564	1936	005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe	28
PID 336 wrote to memory of 2596	336	csrss.exe	30
PID 336 wrote to memory of 2596	336	csrss.exe	30
PID 336 wrote to memory of 2468	336	csrss.exe	31
PID 336 wrote to memory of 2468	336	csrss.exe	31
PID 336 wrote to memory of 844	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2596

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1312
- C:\Users\Admin\AppData\Local\Temp\005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\005d20edcc90e9234e3b42a893b7f7af_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2564

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
3b82aeb51e7e66b073c4b58643daf757

SHA1
06a5b4f584f7a64dc7a52eef987c6bc4f0dae012

SHA256
ff9759a974191a7517f307d5caaeb42f95a4b4880b4116c47dbaf74c650e70e3

SHA512
407c9624b290fff8e76b1d43b875b08dd4ebf0261651f4affd034f7647c3a4cc33475d0a3b8b72e5a790eaa8815e3e8d8a4ace662939e1a722cd8136768883a4

Download Submit
memory/336-30-0x00000000022C0000-0x00000000022D1000-memory.dmp

Filesize
68KB

Download
memory/336-24-0x00000000022C0000-0x00000000022D1000-memory.dmp

Filesize
68KB

Download
memory/336-21-0x00000000022C0000-0x00000000022D1000-memory.dmp

Filesize
68KB

Download
memory/336-19-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/844-40-0x0000000000CD0000-0x0000000000CDB000-memory.dmp

Filesize
44KB

Download
memory/844-33-0x0000000000CD0000-0x0000000000CDB000-memory.dmp

Filesize
44KB

Download
memory/844-51-0x0000000000D60000-0x0000000000D6B000-memory.dmp

Filesize
44KB

Download
memory/844-43-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/844-44-0x0000000000D60000-0x0000000000D6B000-memory.dmp

Filesize
44KB

Download
memory/844-36-0x0000000000CD0000-0x0000000000CDB000-memory.dmp

Filesize
44KB

Download
memory/844-41-0x0000000000D60000-0x0000000000D6B000-memory.dmp

Filesize
44KB

Download
memory/1312-14-0x0000000002F70000-0x0000000002F72000-memory.dmp

Filesize
8KB

Download
memory/1312-9-0x0000000002F80000-0x0000000002F86000-memory.dmp

Filesize
24KB

Download
memory/1312-13-0x0000000002F80000-0x0000000002F86000-memory.dmp

Filesize
24KB

Download
memory/1312-5-0x0000000002F80000-0x0000000002F86000-memory.dmp

Filesize
24KB

Download
memory/1936-4-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1936-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1936-2-0x0000000000432000-0x0000000000437000-memory.dmp

Filesize
20KB

Download
memory/1936-29-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1936-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1936-26-0x0000000000432000-0x0000000000437000-memory.dmp

Filesize
20KB

Download
memory/1936-25-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1936-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download