c9307db1f99ced594e0655092df7783e40527c6db3690bcc5004e09b6be3fba5

General

Target

27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
Size

861KB
MD5

27a00399f30760e47de1c46ae3bf94d6
SHA1

0d2754d68010fe33e81a33e5109adfc87fd42703
SHA256

c9307db1f99ced594e0655092df7783e40527c6db3690bcc5004e09b6be3fba5
SHA512

aae3561566f488aac805513c0b5dc87d500836bd35775c035be24051d76e1a2eebe19c09d974a6c83d05e5e2cf89974d39befa3dc3696b008960692376f1ba11
SSDEEP

24576:sAuCStU4gf2EW5A2DJr/kS4vGIk6v3Hf:lh43Dp/wPH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5028	systemy.exe
3436	systemz.exe
3980	WIN

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\antiy.dll	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systemz.exe	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WIN	WIN
File created	C:\Windows\SysWOW64\Deleteme.bat	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\antiy.dll	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systemy.exe	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\systemy.exe	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\systemz.exe	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WIN	systemz.exe
File opened for modification	C:\Windows\SysWOW64\WIN	systemz.exe
File opened for modification	C:\Windows\SysWOW64\systemz.exe	systemz.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	systemz.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
5028	systemy.exe
5028	systemy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
Token: SeDebugPrivilege	5028	systemy.exe
Token: SeDebugPrivilege	3436	systemz.exe
Token: SeDebugPrivilege	3980	WIN

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 3404	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe	56
PID 400 wrote to memory of 5028	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe	85
PID 400 wrote to memory of 5028	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe	85
PID 400 wrote to memory of 5028	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe	85
PID 5028 wrote to memory of 3404	5028	systemy.exe	56
PID 400 wrote to memory of 3436	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe	86
PID 400 wrote to memory of 3436	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe	86
PID 400 wrote to memory of 3436	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe	86
PID 3436 wrote to memory of 532	3436	systemz.exe	88
PID 3436 wrote to memory of 532	3436	systemz.exe	88
PID 3436 wrote to memory of 532	3436	systemz.exe	88
PID 400 wrote to memory of 728	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe	90
PID 400 wrote to memory of 728	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe	90
PID 400 wrote to memory of 728	400	27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\27a00399f30760e47de1c46ae3bf94d6_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\systemy.exe
    C:\Windows\system32\systemy.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5028
- - C:\Windows\SysWOW64\systemz.exe
    C:\Windows\system32\systemz.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
      4⤵
      PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:728

C:\Windows\SysWOW64\WIN
C:\Windows\SysWOW64\WIN
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
212B

MD5
df05065e12774cb35c11da8d84695a50

SHA1
7c39d023d53e63c40afc1ff5599004bac622e13f

SHA256
3d00460d87e8eb5bd778e38648ebbd409f5b97ab1a3ac3ab121e265ae9f53a60

SHA512
0353101427ca067e06de20417d259385607a192f71b69345ff2b5ac7d89c92d8768f9b97f07ec162eb922dd4ce1168ff1eb7ab58e3cb4c02cc580c1108a91e01

Download Submit
C:\Windows\SysWOW64\systemy.exe

Filesize
861KB

MD5
27a00399f30760e47de1c46ae3bf94d6

SHA1
0d2754d68010fe33e81a33e5109adfc87fd42703

SHA256
c9307db1f99ced594e0655092df7783e40527c6db3690bcc5004e09b6be3fba5

SHA512
aae3561566f488aac805513c0b5dc87d500836bd35775c035be24051d76e1a2eebe19c09d974a6c83d05e5e2cf89974d39befa3dc3696b008960692376f1ba11

Download Submit
C:\Windows\SysWOW64\systemz.exe

Filesize
744KB

MD5
d11791dfcd4494946c677a06974dce69

SHA1
9005d079bbf6950d16c57e51dccf1bf07cca1c32

SHA256
3310b2eebc551b54b4a8a7839b39505f18bd41bec6e6eb442d90a0fd30bb7442

SHA512
0ea28a4c613f26005a9340d193aa037780f00bc476d69236ebc43a0ac9ce3d4d08aab41e7cf03fa293139404fe98792025e4c62c5474bfa0c36c36a92704fdac

Download Submit
C:\Windows\uninstal.bat

Filesize
112B

MD5
771bf2711c1eb576c68fa726edfc7f72

SHA1
a18a6925ae2633addcd462080205a36fad5806c4

SHA256
6fd6c12e7f57530f7b67d72a20f322b5b9fcb218c296f735d98f122594296b1c

SHA512
a215f66608d510be014b7f24345d530492f92209d4def0b1ffa21562afc1baa8641de437b6895e125dab04dde13a30a90d13969c594036d5b8692a0beb00c7f4

Download Submit
memory/400-27-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3436-12-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/3436-13-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3436-26-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/3980-19-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3980-18-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/3980-20-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/5028-8-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download

Analysis

Sharing