102fc74774e79c55c34c8514d9e289e415df28654b002a438a9a6ef4cdfbce6d

General

Target

03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe
Size

623KB
MD5

03c00294c6f2518753f2d488d1052d2a
SHA1

b618801d54fce568c6250a5f98dc009e9c98ad4e
SHA256

102fc74774e79c55c34c8514d9e289e415df28654b002a438a9a6ef4cdfbce6d
SHA512

80a2fbd1e63e4ca283678a93070d01537a0abf8b53473ed3fe263d103d31ecfc162b6a760e857c50e0bf4a6ff1e4a76457bd024fa6d2542bc1fbdbf348caec3d
SSDEEP

12288:fS30HfNDAFEWpUewI9JE1BbH0VF3Z4mxx2DqVTVOCY8u3TsY:xFEFEWpXwI3eH0VQmXVVTzzu

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2408	IEFILES.INI
2712	csrsser

Loads dropped DLL 2 IoCs

pid	Process
1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe
1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\csrsser	IEFILES.INI
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	IEFILES.INI
File opened for modification	C:\Windows\SysWOW64\csrsser	csrsser
File created	C:\Windows\SysWOW64\csrsser	IEFILES.INI

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2408	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	28
PID 1304 wrote to memory of 2408	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	28
PID 1304 wrote to memory of 2408	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	28
PID 1304 wrote to memory of 2408	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	28
PID 1304 wrote to memory of 2596	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2596	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2596	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2596	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2596	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2596	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2596	1304	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\Uinstall.bat
  2⤵
  - Deletes itself
  PID:2596

C:\Windows\SysWOW64\csrsser
C:\Windows\SysWOW64\csrsser
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Uinstall.bat

Filesize
212B

MD5
7aa1c90a4d3a360a7308ebb675c723fd

SHA1
087ebe75e98d2d6433f0b55270078c39c5ac46fa

SHA256
2c0aae3295e2dafb9bd328edb6956ed8513becd9f4ae3af6c55a439974a3bcfb

SHA512
14f3637cbb88dea26528c622161a20db9cf6e7ff1dd3a6bdc544120a70ff2202af983e0ced8eb7e9899c52f21f108696eaff4c4d11ef697ea496297ce0902a1e

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI

Filesize
593KB

MD5
514ebd73e918413721ac5a9e3268d50c

SHA1
2451a3643ba3c232e973e33d011fe63c225bbd67

SHA256
c02182fecf9c1b7fae0503116bb7c0ed885f05b8b52de22f0d4de0b0923fd31a

SHA512
03462febb4bc2166bc2126c19db4726b52a1fea61fc364004dc3b7b3aa7153cca2f45061f83ef5177e77cdb57f3c81fa2389666b0c6a0f259f3faaeaf254ca37

Download Submit
memory/1304-4-0x0000000002D50000-0x0000000002E5A000-memory.dmp

Filesize
1.0MB

Download
memory/1304-47-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1304-10-0x0000000002D50000-0x0000000002E5A000-memory.dmp

Filesize
1.0MB

Download
memory/2408-21-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2408-17-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2408-26-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2408-25-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/2408-24-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2408-23-0x00000000032B0000-0x00000000032B3000-memory.dmp

Filesize
12KB

Download
memory/2408-22-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2408-28-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2408-20-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2408-19-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2408-18-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2408-27-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2408-16-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2408-15-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2408-14-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2408-13-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2408-11-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/2408-38-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/2408-39-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/2408-12-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/2712-36-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/2712-33-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing