95c986ebbfe26f86137e189ca4a9cd318d89038a6714788dfede7550d2cf19ba

General

Target

007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe
Size

536KB
MD5

007ed768ceb285948ced9dbf3e3aeff3
SHA1

44957ce087b4588a9c561ecad088eb692bb6db6f
SHA256

95c986ebbfe26f86137e189ca4a9cd318d89038a6714788dfede7550d2cf19ba
SHA512

9af05a8b7ecfbcb361541c895ee03c4d9c64b2aad6547a8c2ba9ad9c3f515260bf63005faeef1f6f98978e1df9b5d9bdd92b7e38f873b0749ec25f461e739aef
SSDEEP

12288:N/Nczc06iRQPRXNkDMHQo30veSBiQPp4kv8Tq:zmc06++kDXRGELPpFU2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3588	Mok.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\systme32\Mok.exe	007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe
File opened for modification	C:\Windows\systme32\Mok.exe	007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3476	3132	WerFault.exe	81
2584	3588	WerFault.exe	88

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe
Token: SeDebugPrivilege	3588	Mok.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3588	Mok.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 2224	3588	Mok.exe	91
PID 3588 wrote to memory of 2224	3588	Mok.exe	91

C:\Users\Admin\AppData\Local\Temp\007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\007ed768ceb285948ced9dbf3e3aeff3_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 324
  2⤵
  - Program crash
  PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3132 -ip 3132
1⤵
PID:2072

C:\Windows\systme32\Mok.exe
C:\Windows\systme32\Mok.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 320
  2⤵
  - Program crash
  PID:2584
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3588 -ip 3588
1⤵
PID:3112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\systme32\Mok.exe

Filesize
536KB

MD5
007ed768ceb285948ced9dbf3e3aeff3

SHA1
44957ce087b4588a9c561ecad088eb692bb6db6f

SHA256
95c986ebbfe26f86137e189ca4a9cd318d89038a6714788dfede7550d2cf19ba

SHA512
9af05a8b7ecfbcb361541c895ee03c4d9c64b2aad6547a8c2ba9ad9c3f515260bf63005faeef1f6f98978e1df9b5d9bdd92b7e38f873b0749ec25f461e739aef

Download Submit
memory/3132-7-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3132-10-0x00000000028E0000-0x0000000002982000-memory.dmp

Filesize
648KB

Download
memory/3132-5-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-11-0x00000000028E0000-0x0000000002982000-memory.dmp

Filesize
648KB

Download
memory/3132-4-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3132-9-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3132-8-0x00000000028E0000-0x0000000002982000-memory.dmp

Filesize
648KB

Download
memory/3132-3-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3132-12-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3132-13-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3132-28-0x0000000000400000-0x0000000000506011-memory.dmp

Filesize
1.0MB

Download
memory/3132-2-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3132-1-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3132-16-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/3132-6-0x00000000028E0000-0x0000000002982000-memory.dmp

Filesize
648KB

Download
memory/3132-0-0x00000000008D0000-0x000000000091B000-memory.dmp

Filesize
300KB

Download
memory/3132-29-0x00000000008D0000-0x000000000091B000-memory.dmp

Filesize
300KB

Download
memory/3588-19-0x00000000009D0000-0x0000000000A1B000-memory.dmp

Filesize
300KB

Download
memory/3588-20-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/3588-23-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/3588-27-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/3588-26-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/3588-25-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/3588-24-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/3588-21-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/3588-22-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/3588-30-0x0000000000400000-0x0000000000506011-memory.dmp

Filesize
1.0MB

Download
memory/3588-31-0x00000000009D0000-0x0000000000A1B000-memory.dmp

Filesize
300KB

Download
memory/3588-32-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/3588-33-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/3588-35-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/3588-36-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/3588-37-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/3588-38-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing