8ceb0b36e3c8622861e5a652441249e34a03f1e532d1913f0c92634564212812

General

Target

2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe
Size

99KB
MD5

2910986d9767fbbd405170ff6aa660b1
SHA1

78f53c86f5a53885ce8a189ec45fbd04a686593a
SHA256

8ceb0b36e3c8622861e5a652441249e34a03f1e532d1913f0c92634564212812
SHA512

9ed778fad363aad467257c9441df91ea6572e93f889ae797e0ff62e79ebba3da06c8dd93fbfff82cc5da8d80ffe9e00057d389fd16ee7f98cd9346fb271f4692
SSDEEP

1536:OOdFyasQh6BBq/AE6W+wskjOk8pzH9euzlUidKR4drzyk5CogZznkhfIO9Fea:9GdQhnAE6fwqzdeuzlUiBikAN5khdB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1640	tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe
2080	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 2080	1856	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1640	tmp.exe
1640	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2080	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2080	1856	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2080	1856	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2080	1856	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2080	1856	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2080	1856	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2080	1856	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2080	1856	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2080	1856	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1640	2080	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1640	2080	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1640	2080	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1640	2080	2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe	31
PID 1640 wrote to memory of 1212	1640	tmp.exe	21
PID 1640 wrote to memory of 1212	1640	tmp.exe	21
PID 1640 wrote to memory of 1212	1640	tmp.exe	21
PID 1640 wrote to memory of 1212	1640	tmp.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\2910986d9767fbbd405170ff6aa660b1_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
31KB

MD5
deef4643e637eebfa8e77e5addd1fdef

SHA1
32baadb9ec5855cebbeb5f19df14457728c2a149

SHA256
c7f098bb6dc397b89ce9e548f96561397dc661a9d2727af62be06733cdec23c8

SHA512
04cafb5e42fd4a67dd1a64881196aeb345a5a76bc9ba6de03776f0a477896cd6d34c2458d7ba06e59c2b23c7da8ceeeaf9d425cc6fcf2b0ac6530dbe7f5f11d9

Download Submit
memory/1212-36-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1212-33-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1640-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1640-32-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1640-46-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1640-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1856-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1856-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2080-28-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/2080-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2080-29-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/2080-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2080-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2080-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2080-47-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/2080-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing