12c6ad5ace8558f895eba8af96aa4c6cd53cb6ca423a7d0cfd6af02f9100b429

General

Target

2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe
Size

416KB
MD5

2461cbdc6b7b7259ce26beddd0412885
SHA1

11e7d766f35628a2ff4830383780572d02c67777
SHA256

12c6ad5ace8558f895eba8af96aa4c6cd53cb6ca423a7d0cfd6af02f9100b429
SHA512

8ba5cedbee938e8e4991346d4fffa42090e82cf02a9237815a3ee2d80cbc59c3c1afd15525721f5d379db59167fb46330b918c5d40e896968e9d1701caa6bd95
SSDEEP

12288:eeRIVTWUOUyfGgIHpnxYt/boZJijE5s4qQXvvv:eGyWjUyfGtY5oZpn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2644	svchost.exe
2544	kfzoit.exe

Loads dropped DLL 4 IoCs

pid	Process
2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe
2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe
2644	svchost.exe
2644	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kfzoit.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\kfzoit.exe	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2596	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2596	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2596	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2596	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	28
PID 2596 wrote to memory of 3056	2596	csc.exe	30
PID 2596 wrote to memory of 3056	2596	csc.exe	30
PID 2596 wrote to memory of 3056	2596	csc.exe	30
PID 2596 wrote to memory of 3056	2596	csc.exe	30
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2644	2168	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2544	2644	svchost.exe	32
PID 2644 wrote to memory of 2544	2644	svchost.exe	32
PID 2644 wrote to memory of 2544	2644	svchost.exe	32
PID 2644 wrote to memory of 2544	2644	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8kbopbpa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2157.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2156.tmp"
    3⤵
    PID:3056
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\kfzoit.exe
    C:\Windows\system32\kfzoit.exe 532 "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:2544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8kbopbpa.dll

Filesize
10KB

MD5
8c10b3ba52026fd7b65fc559965760a8

SHA1
7199de313bc72df0adb4d5f528594e8eaebc15ed

SHA256
ba2668965225ed5a7f97b6b98bd81e4918f31693a7bcdc718852ba7f4d53d6b7

SHA512
3d6361ad733f0fd710f15d949206855a5b56e119862125b3e8f20328eff0f2ddc4c9eb5d2c9f214be86aed8eb900401a4f3088c21719f24c17e455a5c7244601

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2157.tmp

Filesize
1KB

MD5
273d4d3610a57e5a51bced31edb5477e

SHA1
403f6bc2dc55bd812a491dfc96d8844791262ce7

SHA256
1fa7f54d867bbef8dbf247c7a3cded88294daa5845a882943a8da5735cfd80c0

SHA512
98f6dc59b2b0bd81495b811bf11e28c194010973023cfd4f148448640e0915a988d9ae5f4e3a1dcda8aab009a56d06fd0e5004248db79e7846e7120a83ca8d70

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1KB

MD5
caf7ad8a6755ca9190121f60fc7d1886

SHA1
434e415c5db0560ac70a22546ce138a9190d0fbd

SHA256
7bfaa18112edd91b95795d1a080c3b768b585d1ed559e60d0d7368cfd9513d89

SHA512
d9b924cb49c2ebcaf58cfd0ecaa7c026076c22ddc75008b40bc0f62a9d76d464e20cae93028974f73ee1232e6ad6f9927882a20f42a728ec6d821d030002f1ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8kbopbpa.0.cs

Filesize
8KB

MD5
164dc3f006aea54e9f83a8d96e366164

SHA1
a32fb4dd0b29075a0f94000b61ee441be21c879e

SHA256
38ce0b573e1aa8eac080f26b57829a5bbc49104f98305932cc8bc1e3cc226d14

SHA512
b6391ccf6e150039056e98c82e47a45f328c699a130412863c633d1506af50c9babe2a299383ce1c32a8abdb7fe61a9b3724a5afda61605e2844114ca0e47ee7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8kbopbpa.cmdline

Filesize
187B

MD5
38e913a457032b7090c2b277f1b9a8f2

SHA1
80e679d7b6dfbb23d711cec1ca6a38b4be18c005

SHA256
f2f590a5ec279b4d21fa2c361754e2c35f545fe685afae63d589091c7fc90dbe

SHA512
d3bc6f621b16d15508f6ce1c5f49c7591572486b000e5ab05d7396152f704d4b11cde7bcf6126d0f058645ebf2904993ea57d832c441267231d98e8180572685

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2156.tmp

Filesize
652B

MD5
56f4ac72c31e6e8dc7967e0a49d6c5b1

SHA1
43dd8929bb3bef97576e581deb648118145c01d4

SHA256
eb0bd0ebba9b3bd15d06c46dfe312aec94237b7271d4038db021b52cc31755e7

SHA512
6f3867adec441aa5d205f55c7593d613744c31a3109ed2ea0a9310cad158bd58484e83e7bbbf721591a62be4f44354ce13a56d1761791d6ce0a1492e3498b3d4

Download Submit
memory/2168-39-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-1-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-2-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-0-0x0000000074421000-0x0000000074422000-memory.dmp

Filesize
4KB

Download
memory/2596-10-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-15-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-32-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2644-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-38-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2644-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2644-35-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2644-31-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2644-30-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2644-29-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2644-27-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2644-25-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2644-52-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing