12c6ad5ace8558f895eba8af96aa4c6cd53cb6ca423a7d0cfd6af02f9100b429

General

Target

2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe
Size

416KB
MD5

2461cbdc6b7b7259ce26beddd0412885
SHA1

11e7d766f35628a2ff4830383780572d02c67777
SHA256

12c6ad5ace8558f895eba8af96aa4c6cd53cb6ca423a7d0cfd6af02f9100b429
SHA512

8ba5cedbee938e8e4991346d4fffa42090e82cf02a9237815a3ee2d80cbc59c3c1afd15525721f5d379db59167fb46330b918c5d40e896968e9d1701caa6bd95
SSDEEP

12288:eeRIVTWUOUyfGgIHpnxYt/boZJijE5s4qQXvvv:eGyWjUyfGtY5oZpn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1732	svchost.exe
1300	clltaj.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\clltaj.exe	svchost.exe
File created	C:\Windows\SysWOW64\clltaj.exe	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2008	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	80
PID 4800 wrote to memory of 2008	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	80
PID 4800 wrote to memory of 2008	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	80
PID 2008 wrote to memory of 1800	2008	csc.exe	82
PID 2008 wrote to memory of 1800	2008	csc.exe	82
PID 2008 wrote to memory of 1800	2008	csc.exe	82
PID 4800 wrote to memory of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83
PID 4800 wrote to memory of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83
PID 4800 wrote to memory of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83
PID 4800 wrote to memory of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83
PID 4800 wrote to memory of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83
PID 4800 wrote to memory of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83
PID 4800 wrote to memory of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83
PID 4800 wrote to memory of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83
PID 4800 wrote to memory of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83
PID 4800 wrote to memory of 1732	4800	2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe	83
PID 1732 wrote to memory of 1300	1732	svchost.exe	84
PID 1732 wrote to memory of 1300	1732	svchost.exe	84
PID 1732 wrote to memory of 1300	1732	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2461cbdc6b7b7259ce26beddd0412885_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uov83wzj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CEB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3CEA.tmp"
    3⤵
    PID:1800
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\clltaj.exe
    C:\Windows\system32\clltaj.exe 1036 "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:1300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3CEB.tmp

Filesize
1KB

MD5
3d19ec2d3f6d51f035afed9bc389a1ac

SHA1
29f7372c358afad24f71e91df9140263ba8c245f

SHA256
d1fb6c8d8785e7ef92ae3eae3baadb5886f2808c628c4dd79adf2781c9f212f2

SHA512
620f42bfebadaaf36d49fa279be8f21ccf5727d743d35f4451f3ebbc519cba1e7b13853e8e90a9d01c78a7f0ffb83a8ebbde1c8cc506416a0fd0b78a1c81bd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uov83wzj.dll

Filesize
10KB

MD5
1d7b679a9be0728270c523ff26075e09

SHA1
52d22b0ef85b0c61a34e4ce85981ac6a493f8d7a

SHA256
4a9c9d69cca5ba75a6b5d3cb150e94b4de830e2a26a1c2185afdee93d652657d

SHA512
8f95941413eb8876cea65a01522450efaeb8aa0865fb5dd23a6998891358ac764ab3493766a4e289099689ec9692ddaf2d63fc66fba3babe1a1c1dbe0748a945

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1KB

MD5
caf7ad8a6755ca9190121f60fc7d1886

SHA1
434e415c5db0560ac70a22546ce138a9190d0fbd

SHA256
7bfaa18112edd91b95795d1a080c3b768b585d1ed559e60d0d7368cfd9513d89

SHA512
d9b924cb49c2ebcaf58cfd0ecaa7c026076c22ddc75008b40bc0f62a9d76d464e20cae93028974f73ee1232e6ad6f9927882a20f42a728ec6d821d030002f1ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3CEA.tmp

Filesize
652B

MD5
ab360762682cae7e6ae928fdd3cd196f

SHA1
0f892813c7d034275ce931255e69bf191d7fc882

SHA256
1d1f9ab2b3951625fb3d99e47203af1e2404c8bf1280d75bc886fb2d5a72c592

SHA512
95535ebf8dd17dd916183cf5b62575de373d896e3ba3f616e7dc168678f4f1d24b37c9dadc6bd1ed934bfc9036210011e7d14c8049a097d675a0b28cab963315

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uov83wzj.0.cs

Filesize
8KB

MD5
164dc3f006aea54e9f83a8d96e366164

SHA1
a32fb4dd0b29075a0f94000b61ee441be21c879e

SHA256
38ce0b573e1aa8eac080f26b57829a5bbc49104f98305932cc8bc1e3cc226d14

SHA512
b6391ccf6e150039056e98c82e47a45f328c699a130412863c633d1506af50c9babe2a299383ce1c32a8abdb7fe61a9b3724a5afda61605e2844114ca0e47ee7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uov83wzj.cmdline

Filesize
187B

MD5
99fba10454703aa41740c4bb4e067aab

SHA1
98b70199c2025869145eb41b2f86e2e6415fdef1

SHA256
d12f2ea8110e27ae6fd42b9bf02c4d7450a1cd94f7b75ae1c3308ac35bb8eccc

SHA512
6992fadc1fe2c38e68399ec1dcc5b906f4ce5068bbdac1c245968d4453a5a557a58465f9974f3821bff632eb841c3db96bfacabc5205b744c15c39a4f96a5c82

Download Submit
memory/1732-27-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1732-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1732-25-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1732-36-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2008-10-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/2008-15-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4800-2-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4800-1-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4800-0-0x0000000075282000-0x0000000075283000-memory.dmp

Filesize
4KB

Download
memory/4800-26-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads