b0385b4e7a5f9723398549305185fb246a13135bfd92574e8fc64b75a11be53a

General

Target

2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
Size

208KB
MD5

2423171cb88f7063942c4d30dd8f76db
SHA1

f506f4a108ff0ad25cf4bbd8f4dca01cd84ef675
SHA256

b0385b4e7a5f9723398549305185fb246a13135bfd92574e8fc64b75a11be53a
SHA512

1df92c7f851ad254381006d3239159451a48fec5ba14516692c055e6014db07f172812a53ae3d20943e8b788d693e175808350d265498674d267809ca8a6539e
SSDEEP

1536:PDlTsrr7iKpTdx01CninHK0BtUwQTSO3uhldDNhJahnZfh972/n9KEsquXNangJi:9SK2/0Un0K0BLvO4nDmokSto2

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\uwickwksa.dat	pt.exe

Executes dropped EXE 2 IoCs

pid	Process
1796	pm.exe
2716	pt.exe

Loads dropped DLL 4 IoCs

pid	Process
1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wsconfig.db	pt.exe
File created	C:\Windows\SysWOW64\imm32.dll.bak	pt.exe
File created	C:\Windows\SysWOW64\imm32.dll	pt.exe
File created	C:\Windows\SysWOW64\kb1841194.dll	pt.exe
File opened for modification	C:\Windows\SysWOW64\kb1841194.dll	pt.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system\pm.exe	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system\pt.exe	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2716	pt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	pt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
1796	pm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1796	1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	28
PID 1636 wrote to memory of 1796	1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	28
PID 1636 wrote to memory of 1796	1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	28
PID 1636 wrote to memory of 1796	1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	28
PID 1636 wrote to memory of 2716	1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2716	1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2716	1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2716	1636	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2812	2716	pt.exe	30
PID 2716 wrote to memory of 2812	2716	pt.exe	30
PID 2716 wrote to memory of 2812	2716	pt.exe	30
PID 2716 wrote to memory of 2812	2716	pt.exe	30

C:\Users\Admin\AppData\Local\Temp\2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\WINDOWS\system\pm.exe
  C:\WINDOWS\system\pm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1796
- C:\WINDOWS\system\pt.exe
  C:\WINDOWS\system\pt.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\delf762b45.bat
    3⤵
    PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\uwickwksa.dat

Filesize
146B

MD5
b8bd12b0caf13ca16aeb3bcf529eebef

SHA1
25e26f9be22b597fc756234c88367deb63a8b129

SHA256
f240cc4076abfd6af09300ff2a3de7a0f93ea9102122b8dd86def5ce8dbd3906

SHA512
bf1ed887e78fdb3bf7f69f0fcd583ec0e5ad93c83561b142a61eafe66eefdc087e0616d700d03dd39680cb4bb49d66059a70bd5906d32ab9271c47a6432fe83b

Download Submit
C:\Windows\system\pt.exe

Filesize
13KB

MD5
90a88f8901863fb5cd511bec0573ea73

SHA1
9f613a65246230ffceb9db77165219686d00bb03

SHA256
f68b882a136314c5263b7f8b0e348cc00be742273302e315d570bc0389b2b803

SHA512
28e3595c295b2a8de2661eaa1de7b4837e5da5ca5ab59c9a16f3527b3e1d8f7af05f069a206275b2bee2ec257f85267232a83023d9ef091a3db2020bc14c7ac1

Download Submit
\??\c:\delf762b45.bat

Filesize
115B

MD5
c8e578a1355e57493e68854a00480416

SHA1
e60e87dd78cf2d44dff87c54d3f5679c0349f461

SHA256
81344fd47c60d455033257758dfe3b6d60d297c7d327bc24f310deb2e024a3a3

SHA512
a0f39aaed63a45756b827ce335ee0e8bdc739fa7026c3b70c8486c993683cd4706186e239b88009c4e61d3f14115411f3d5ce69dc971914e98da831efee9fbd9

Download Submit
\Windows\system\pm.exe

Filesize
168KB

MD5
646c4713aa658d4dcc175efd717f71e8

SHA1
33aeaf80c541fca2a49883bacc1c0d4ceffe9b0b

SHA256
66b832132dd451af542aa875297cd63c7609d6efe2760eea38298e370c94478d

SHA512
aab93f9c9009b08a582cc0ccaef623c94a98b83fd2f53aa23f8476ee686bcde1ed49e9e27f7b1d69f3e9f7192ea2453e120991046a567029a9e3980af58cd61d

Download Submit
memory/1636-20-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/1636-19-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/2716-40-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing