02786fbf22b3a946ecf8eaae05127fb616d8f12ec94aa9a669e7897a71aee7d9

General

Target

38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe
Size

961KB
MD5

38e0cf78154dc3106a85822ea91a933b
SHA1

17eab8af533e2edcf271be04ee1bec3771336e7e
SHA256

02786fbf22b3a946ecf8eaae05127fb616d8f12ec94aa9a669e7897a71aee7d9
SHA512

e209dfda4a79ba00ad74df6818954a5a2e1db8534344b59c7c16c6e9bd1e53ad24edf3c3cbefcb68cde57a7d26d089bbb1eec047dd09cd634b997ece1704b3e3
SSDEEP

12288:NXWK/zuOn6PITSvUG+T8E3tDUcJF1TjSoYQNTF3Z4mxxNniRhTqKTq7FFg0gkR:hWTmyx+Th3zVXYQNTQmXRiRhu2qTg0g2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2376	L_Server2007.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\L_Server2007.exe	38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe
File opened for modification	C:\Windows\L_Server2007.exe	38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe
File created	C:\Windows\L_Server2007.DLL	L_Server2007.exe
File opened for modification	C:\Windows\L_Server2007.DLL	L_Server2007.exe
File created	C:\Windows\uninstal.bat	38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2376	L_Server2007.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2836	1972	38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2836	1972	38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2836	1972	38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2836	1972	38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2836	1972	38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2836	1972	38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2836	1972	38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe	31
PID 2376 wrote to memory of 1216	2376	L_Server2007.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\38e0cf78154dc3106a85822ea91a933b_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    - Deletes itself
    PID:2836

C:\Windows\L_Server2007.exe
C:\Windows\L_Server2007.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\L_Server2007.exe

Filesize
961KB

MD5
38e0cf78154dc3106a85822ea91a933b

SHA1
17eab8af533e2edcf271be04ee1bec3771336e7e

SHA256
02786fbf22b3a946ecf8eaae05127fb616d8f12ec94aa9a669e7897a71aee7d9

SHA512
e209dfda4a79ba00ad74df6818954a5a2e1db8534344b59c7c16c6e9bd1e53ad24edf3c3cbefcb68cde57a7d26d089bbb1eec047dd09cd634b997ece1704b3e3

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
49b6d618109390fe8e30baa6877faacf

SHA1
fd73166dc7ebd5b53192b1f6fb36f8203d9bef3e

SHA256
114d47eaca2d6dd8e00788d99f5de186385bd662d3abc6d60b5caff8071fbfe0

SHA512
286018b6f31a5b01d00cd3b2055f4ac32f1aab25d6b7519af4fbc5127390f6a7c5910f95191bd23ae91d364c4c26ca935ef879edab6dfcdadcfdbcab0d23e7fa

Download Submit
memory/1216-37-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1972-6-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1972-4-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1972-13-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1972-12-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/1972-11-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1972-10-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/1972-9-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1972-8-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/1972-7-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download
memory/1972-0-0x0000000013140000-0x0000000013240000-memory.dmp

Filesize
1024KB

Download
memory/1972-5-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/1972-15-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/1972-19-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/1972-18-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1972-17-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1972-20-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1972-21-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1972-16-0x0000000003170000-0x0000000003270000-memory.dmp

Filesize
1024KB

Download
memory/1972-1-0x0000000001B70000-0x0000000001BC4000-memory.dmp

Filesize
336KB

Download
memory/1972-14-0x0000000003110000-0x0000000003112000-memory.dmp

Filesize
8KB

Download
memory/1972-35-0x0000000001B70000-0x0000000001BC4000-memory.dmp

Filesize
336KB

Download
memory/1972-34-0x0000000013140000-0x0000000013240000-memory.dmp

Filesize
1024KB

Download
memory/2376-23-0x0000000013140000-0x0000000013240000-memory.dmp

Filesize
1024KB

Download
memory/2376-38-0x0000000013140000-0x0000000013240000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing