f18778974432f3f4e360389b407a4efcb8b3200606da302262e5c98581fefed4

General

Target

0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe
Size

96KB
MD5

0fe7e3afaffee4ede09af907e7c32ca5
SHA1

ee7503e724daee70fcb844755b2ea2700da59813
SHA256

f18778974432f3f4e360389b407a4efcb8b3200606da302262e5c98581fefed4
SHA512

76350c38a7c7a64145ceb4e3e54c8921d13d706fb5c16b7c72b1137cc769ff35d4e50ba5c221f1a2faee7066df7a7813ca7acf256a63071199feba84067e83f6
SSDEEP

1536:l2bfrsoEBG5b6UR/W5stk4TeXTZSy0777777777777777777777777777777777g:oTgoEBc6sO50k4SDl07777777777777g

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1676	svchost32.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe
2296	0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File opened for modification	C:\Windows\SysWOW64\svchost32.exe	0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe	0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe\svchost32.exe	svchost32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1676	2296	0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe	28
PID 2296 wrote to memory of 1676	2296	0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe	28
PID 2296 wrote to memory of 1676	2296	0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe	28
PID 2296 wrote to memory of 1676	2296	0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fe7e3afaffee4ede09af907e7c32ca5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\svchost32.exe
  C:\Windows\system32\svchost32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\svchost32.exe

Filesize
96KB

MD5
0fe7e3afaffee4ede09af907e7c32ca5

SHA1
ee7503e724daee70fcb844755b2ea2700da59813

SHA256
f18778974432f3f4e360389b407a4efcb8b3200606da302262e5c98581fefed4

SHA512
76350c38a7c7a64145ceb4e3e54c8921d13d706fb5c16b7c72b1137cc769ff35d4e50ba5c221f1a2faee7066df7a7813ca7acf256a63071199feba84067e83f6

Download Submit
memory/1676-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2296-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2296-3-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/2296-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads