44d2dc0bb1dfaa72f9e4ded656f16f3d9882feb6142e99e6ff961f985fcad074

General

Target

3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe
Size

193KB
MD5

3748bd0b2ede9d082980227092b0b6a4
SHA1

3eb2bed232bc0d39ff9dcf2cf4d379425c7ffec5
SHA256

44d2dc0bb1dfaa72f9e4ded656f16f3d9882feb6142e99e6ff961f985fcad074
SHA512

5ef471b44208d315a4e12d618ab88c77b088b86e1648cc6ecd770757a979de7ff3aa32c0b75ff3dcf436498d01a2042107fedd32fffe4a4453d18c06f69294c4
SSDEEP

3072:TTf0AhReyNptvcCVsxIxgJEgoNB8/JfAu2q9arVxpmlgq1hmq9hv06gCPvH:TTfpneyNvlVcEgoNmRAuF9aRx6f+C3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2892 set thread context of 2744	2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe
2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe
2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe
2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe
Token: SeDebugPrivilege	2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1236	2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe	21
PID 2892 wrote to memory of 336	2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe	2
PID 336 wrote to memory of 2628	336	csrss.exe	28
PID 336 wrote to memory of 2628	336	csrss.exe	28
PID 336 wrote to memory of 2724	336	csrss.exe	29
PID 336 wrote to memory of 2724	336	csrss.exe	29
PID 2892 wrote to memory of 2744	2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe	30
PID 2892 wrote to memory of 2744	2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe	30
PID 2892 wrote to memory of 2744	2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe	30
PID 2892 wrote to memory of 2744	2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe	30
PID 2892 wrote to memory of 2744	2892	3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe	30
PID 336 wrote to memory of 836	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:836
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2628

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1236
- C:\Users\Admin\AppData\Local\Temp\3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3748bd0b2ede9d082980227092b0b6a4_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2744

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
8e541e6296b5b1148af76bbe2139ef1a

SHA1
39be4656ecf2fbbb6272af31dd68a204a5657db2

SHA256
4a52c8347b10aa2912eae8dc7f868532847d8095062fa4b7658875ea7b7d1e0f

SHA512
ba6cf90c5fc4790b4079b44959a9a173403eb43b0e0b56ba746d36754cc4ed3dd97c7392ad9b94650b3d64335fd89b6c6825847070635b05e1a6e34552c1c07e

Download Submit
memory/336-30-0x0000000000E00000-0x0000000000E11000-memory.dmp

Filesize
68KB

Download
memory/336-29-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/336-22-0x0000000000E00000-0x0000000000E11000-memory.dmp

Filesize
68KB

Download
memory/336-20-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/336-19-0x0000000000E00000-0x0000000000E11000-memory.dmp

Filesize
68KB

Download
memory/836-43-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/836-40-0x0000000000BC0000-0x0000000000BCB000-memory.dmp

Filesize
44KB

Download
memory/836-41-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/836-36-0x0000000000BC0000-0x0000000000BCB000-memory.dmp

Filesize
44KB

Download
memory/836-44-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/836-32-0x0000000000BC0000-0x0000000000BCB000-memory.dmp

Filesize
44KB

Download
memory/836-45-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/1236-4-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/1236-13-0x0000000002E30000-0x0000000002E32000-memory.dmp

Filesize
8KB

Download
memory/1236-12-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/1236-8-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/2892-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-25-0x0000000000429000-0x000000000042D000-memory.dmp

Filesize
16KB

Download
memory/2892-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-0-0x0000000000429000-0x000000000042D000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing