102fc74774e79c55c34c8514d9e289e415df28654b002a438a9a6ef4cdfbce6d

General

Target

03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe
Size

623KB
MD5

03c00294c6f2518753f2d488d1052d2a
SHA1

b618801d54fce568c6250a5f98dc009e9c98ad4e
SHA256

102fc74774e79c55c34c8514d9e289e415df28654b002a438a9a6ef4cdfbce6d
SHA512

80a2fbd1e63e4ca283678a93070d01537a0abf8b53473ed3fe263d103d31ecfc162b6a760e857c50e0bf4a6ff1e4a76457bd024fa6d2542bc1fbdbf348caec3d
SSDEEP

12288:fS30HfNDAFEWpUewI9JE1BbH0VF3Z4mxx2DqVTVOCY8u3TsY:xFEFEWpXwI3eH0VQmXVVTzzu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4380	IEFILES.INI
4476	csrsser

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csrsser	IEFILES.INI
File opened for modification	C:\Windows\SysWOW64\csrsser	IEFILES.INI
File opened for modification	C:\Windows\SysWOW64\csrsser	csrsser

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe
220	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4380	220	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	85
PID 220 wrote to memory of 4380	220	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	85
PID 220 wrote to memory of 4380	220	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	85
PID 220 wrote to memory of 4716	220	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	88
PID 220 wrote to memory of 4716	220	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	88
PID 220 wrote to memory of 4716	220	03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c00294c6f2518753f2d488d1052d2a_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\Uinstall.bat
  2⤵
  PID:4716

C:\Windows\SysWOW64\csrsser
C:\Windows\SysWOW64\csrsser
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI

Filesize
593KB

MD5
514ebd73e918413721ac5a9e3268d50c

SHA1
2451a3643ba3c232e973e33d011fe63c225bbd67

SHA256
c02182fecf9c1b7fae0503116bb7c0ed885f05b8b52de22f0d4de0b0923fd31a

SHA512
03462febb4bc2166bc2126c19db4726b52a1fea61fc364004dc3b7b3aa7153cca2f45061f83ef5177e77cdb57f3c81fa2389666b0c6a0f259f3faaeaf254ca37

Download Submit
\??\c:\Uinstall.bat

Filesize
212B

MD5
7aa1c90a4d3a360a7308ebb675c723fd

SHA1
087ebe75e98d2d6433f0b55270078c39c5ac46fa

SHA256
2c0aae3295e2dafb9bd328edb6956ed8513becd9f4ae3af6c55a439974a3bcfb

SHA512
14f3637cbb88dea26528c622161a20db9cf6e7ff1dd3a6bdc544120a70ff2202af983e0ced8eb7e9899c52f21f108696eaff4c4d11ef697ea496297ce0902a1e

Download Submit
memory/220-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4380-13-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4380-11-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4380-20-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4380-19-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/4380-18-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/4380-17-0x00000000034F0000-0x00000000034F3000-memory.dmp

Filesize
12KB

Download
memory/4380-16-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4380-15-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4380-14-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/4380-22-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4380-12-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4380-21-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4380-10-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4380-9-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4380-8-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4380-7-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4380-5-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/4380-30-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download
memory/4380-29-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/4380-6-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download
memory/4476-27-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing