4c1d6d9b29a6623dc78b4712243c20c0d13ab79ad4015439e11e73f876f5800e

General

Target

07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe
Size

219KB
MD5

07e127db8abd2591555514c2b86f6976
SHA1

eed0c74e3734b6f4ee884ab22e48ad639febd729
SHA256

4c1d6d9b29a6623dc78b4712243c20c0d13ab79ad4015439e11e73f876f5800e
SHA512

939ad4a13c18cccba24d4e900ff97d4d6d9cda18bbc2f2285205fd98afa678d304afd5a6a4647679e2b5cc00fe152c086cbe667e2cb4bbdd8bb8f276bfa085f9
SSDEEP

6144:51+DHtonus0AJfqR6NwhK3h89HNKnu4K+TK:+5dsFJyR6NwhA8pNKugTK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
340	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 2804	2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe
2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe
2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe
2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe
340	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe
Token: SeDebugPrivilege	2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
340	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1084	2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe	18
PID 2872 wrote to memory of 340	2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe	2
PID 2872 wrote to memory of 2804	2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2804	2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2804	2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2804	2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2804	2872	07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe	28
PID 340 wrote to memory of 2448	340	csrss.exe	30
PID 340 wrote to memory of 2448	340	csrss.exe	30
PID 340 wrote to memory of 2888	340	csrss.exe	31
PID 340 wrote to memory of 2888	340	csrss.exe	31
PID 340 wrote to memory of 848	340	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:848
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2448

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1084
- C:\Users\Admin\AppData\Local\Temp\07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07e127db8abd2591555514c2b86f6976_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2804

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
e60558bda4e220f494f7ef757f0bd725

SHA1
9e1215bdad1a51123a4eb012f1f4e3103ac436ed

SHA256
86a744302786cb7afb20ccf54f8e157fc149906fca8af1bcc62bc56f8d807a98

SHA512
e13e010a99d501a4c462377f144614945346e00b28e1a39936c329f6cdb8ddf24a9188bdb7bd5723925c77b940d6559fd876ad574a8dccac07cd1b1ea13e7576

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
332c8cc2db1502acb40aabd455babd9f

SHA1
bb32d4321d9153634d5aeeffe4c8c3bb314d76bf

SHA256
38cf10b6ed28d525ec688f93073b16eff2289066a16f86ba2219931a8600cdce

SHA512
22b9232a7af26d9bb9b1885edca790a8cd35fabd26a097712498731cacca6a72bd1c3349d58f8f4d2e0242a0d0c77d46fdd6d269933f6b63d329511813212a72

Download Submit
memory/340-29-0x0000000000BC0000-0x0000000000BD1000-memory.dmp

Filesize
68KB

Download
memory/340-20-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/340-28-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/340-21-0x0000000000BC0000-0x0000000000BD1000-memory.dmp

Filesize
68KB

Download
memory/340-19-0x0000000000BC0000-0x0000000000BD1000-memory.dmp

Filesize
68KB

Download
memory/848-43-0x0000000000B80000-0x0000000000B8B000-memory.dmp

Filesize
44KB

Download
memory/848-35-0x0000000000B70000-0x0000000000B7B000-memory.dmp

Filesize
44KB

Download
memory/848-39-0x0000000000B70000-0x0000000000B7B000-memory.dmp

Filesize
44KB

Download
memory/848-40-0x0000000000B80000-0x0000000000B8B000-memory.dmp

Filesize
44KB

Download
memory/848-42-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/848-31-0x0000000000B70000-0x0000000000B7B000-memory.dmp

Filesize
44KB

Download
memory/848-44-0x0000000000B80000-0x0000000000B8B000-memory.dmp

Filesize
44KB

Download
memory/1084-12-0x00000000024D0000-0x00000000024D6000-memory.dmp

Filesize
24KB

Download
memory/1084-13-0x00000000024C0000-0x00000000024C2000-memory.dmp

Filesize
8KB

Download
memory/1084-8-0x00000000024D0000-0x00000000024D6000-memory.dmp

Filesize
24KB

Download
memory/1084-4-0x00000000024D0000-0x00000000024D6000-memory.dmp

Filesize
24KB

Download
memory/2872-27-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2872-25-0x0000000000432000-0x0000000000436000-memory.dmp

Filesize
16KB

Download
memory/2872-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2872-2-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2872-3-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2872-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2872-1-0x0000000000432000-0x0000000000436000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing