cb8aa3c9633d130b6d87dd2033af9ba5d8f48867e16aea6ffa16704b0fbb4182

General

Target

3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe
Size

190KB
MD5

3580b554d32a740b45d29bad3c0c226e
SHA1

100b09968b027fc688417591b46ec479ffc2480a
SHA256

cb8aa3c9633d130b6d87dd2033af9ba5d8f48867e16aea6ffa16704b0fbb4182
SHA512

848d9fc8927058824ad9e9131860dc31733785eccabbf481c23ef90dc6245addfd81839606ca6c9f8da810e305d1c99195e4de7b20a3512468367c95ab12848d
SSDEEP

3072:7WbfdXHTi2YBJyiKzdwiLUJKDb+ihHj45kzulHZy8idZz3MydDZgvqZWTnkyfDQ4:7WLdXzXYBJyiKz3AJa+ihHj4azs5adun

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 2588	2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe
2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe
2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe
2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe
Token: SeDebugPrivilege	2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1260	2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe	21
PID 2016 wrote to memory of 332	2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe	2
PID 2016 wrote to memory of 2588	2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2588	2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2588	2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2588	2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2588	2016	3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe	30
PID 332 wrote to memory of 856	332	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:856

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3580b554d32a740b45d29bad3c0c226e_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
320dca1db467a364ecfbdfec2248ff85

SHA1
1cb3d783f834b33f3d7b7db015cd628510c7055c

SHA256
63a243771fb4d14c6d227206db251a8f8d743891c9f58a0b4089957744b62299

SHA512
7c018fac0bb34ff9e11d11f3edfb8f163bc43aa553f11b8efe60c9cd94cbdc94bbd94589b40eb00986fb74adcf045b6aaa6e7437025dbff6828d06e7fa73ea5b

Download Submit
memory/332-28-0x0000000002570000-0x0000000002581000-memory.dmp

Filesize
68KB

Download
memory/332-27-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/332-19-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/332-20-0x0000000002570000-0x0000000002581000-memory.dmp

Filesize
68KB

Download
memory/332-18-0x0000000002570000-0x0000000002581000-memory.dmp

Filesize
68KB

Download
memory/856-41-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/856-38-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/856-30-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/856-42-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/856-39-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/856-34-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/856-43-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/1260-12-0x0000000002600000-0x0000000002602000-memory.dmp

Filesize
8KB

Download
memory/1260-3-0x0000000002610000-0x0000000002616000-memory.dmp

Filesize
24KB

Download
memory/1260-7-0x0000000002610000-0x0000000002616000-memory.dmp

Filesize
24KB

Download
memory/1260-11-0x0000000002610000-0x0000000002616000-memory.dmp

Filesize
24KB

Download
memory/2016-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2016-24-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/2016-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2016-0-0x0000000000417000-0x000000000041B000-memory.dmp

Filesize
16KB

Download
memory/2016-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2016-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing