32b3cd8773f5080d4efa08305b2a06224143aafdc3965b8513fa0deab25c0b65

General

Target

23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe
Size

171KB
MD5

23c1b87f481f12eda3b25de567e8a1bc
SHA1

6faa4a9d11f77d05b0ca7b3086bd9cb6a4ab324a
SHA256

32b3cd8773f5080d4efa08305b2a06224143aafdc3965b8513fa0deab25c0b65
SHA512

65b667d9c89085b02bd2cac2dbd77b05d12d7244ce650409e98827921faf14fba0d4693d5018762e75a3d43bf65a890dc27f90f4820ba0d482beea866d716e69
SSDEEP

3072:07ML9/hRQ+k42NzTDYeiUZZZLhHM6McVz85+bRC02KTCDlmMR:0G9/h6zbNP8YZZZLVV5ySg0vClm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 2612	2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe
2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe
2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe
2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe
Token: SeDebugPrivilege	2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1396	2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe	21
PID 2984 wrote to memory of 336	2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe	2
PID 2984 wrote to memory of 2612	2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe	28
PID 2984 wrote to memory of 2612	2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe	28
PID 2984 wrote to memory of 2612	2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe	28
PID 2984 wrote to memory of 2612	2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe	28
PID 2984 wrote to memory of 2612	2984	23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe	28
PID 336 wrote to memory of 2496	336	csrss.exe	30
PID 336 wrote to memory of 2496	336	csrss.exe	30
PID 336 wrote to memory of 2616	336	csrss.exe	31
PID 336 wrote to memory of 2616	336	csrss.exe	31
PID 336 wrote to memory of 844	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:844
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\23c1b87f481f12eda3b25de567e8a1bc_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2612

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
4e109d7d32c244f9738118cd58d813df

SHA1
278af4abf5476aa32576e506e21d13068249e637

SHA256
0a52a091570f0842fbd083876a690ce0736ce7dd75529eeb306a569a41702544

SHA512
dc4a8e5f9a1dc0f90a144f32ca6743b47408de0dd22eb5c4fbd45dae0c5335f0c8b6767266e0a9ca12a6578d2c965131b3b97150c2ca384a585f7f81ce3354b0

Download Submit
memory/336-19-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/336-31-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/336-30-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/336-22-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/336-21-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/844-33-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/844-37-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/844-46-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/844-41-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/844-42-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/844-44-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/844-45-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/1396-14-0x0000000002100000-0x0000000002102000-memory.dmp

Filesize
8KB

Download
memory/1396-9-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/1396-5-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/1396-13-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/2984-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2984-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2984-2-0x0000000000427000-0x000000000042C000-memory.dmp

Filesize
20KB

Download
memory/2984-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2984-3-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2984-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2984-26-0x0000000000427000-0x000000000042C000-memory.dmp

Filesize
20KB

Download
memory/2984-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing