9f203b82f1893938c5d2eb68468005caeeb10b098535c75d3ed67c2ca79151a6

General

Target

41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe
Size

641KB
MD5

41cbc5472f5c25e6874889c471112488
SHA1

4422e7816035d05bdaec18962df7867a0d1dcc64
SHA256

9f203b82f1893938c5d2eb68468005caeeb10b098535c75d3ed67c2ca79151a6
SHA512

4fdea28d7b85c09eabf01f16eca8d852f0f97cc6239bbe7edb2ee21180002b8cd46237fdf148c90df3934530442e9a03ae3ee94b3e2d37340f61317b6d3f6636
SSDEEP

12288:LvTkPWr5hj6j0UBeb5WKigJKdpV2BBiLlOIBf5F3Z4mxxgDqVTVOCGq1oLM:rqi/ejNBebAKiPwBBiZLHQmX3VTzdiY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.exe	41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe
File created	C:\Windows\DELME.BAT	41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe
File created	C:\Windows\svchost.exe	41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe
Token: SeDebugPrivilege	2864	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2864	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 820	2864	svchost.exe	31
PID 2864 wrote to memory of 820	2864	svchost.exe	31
PID 2864 wrote to memory of 820	2864	svchost.exe	31
PID 2864 wrote to memory of 820	2864	svchost.exe	31
PID 1744 wrote to memory of 2928	1744	41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe	32
PID 1744 wrote to memory of 2928	1744	41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe	32
PID 1744 wrote to memory of 2928	1744	41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe	32
PID 1744 wrote to memory of 2928	1744	41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41cbc5472f5c25e6874889c471112488_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\DELME.BAT
  2⤵
  - Deletes itself
  PID:2928

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DELME.BAT

Filesize
218B

MD5
c571b20c8d0c347f8496dca490913700

SHA1
35ca6f2ffaedbcd05868edc0476ec8a7b7d91330

SHA256
86c385532cf186e7d5fc39ff8932cb5ef7fc04aaf33bee0ded46b1e5c1cb511c

SHA512
d8121fd955305d71cc644211e30cc31fa7d0643d5aa74a2da93a7a3c75e0cd5dcfb995db0f67a0b187d778c7e28ed8d56ff6d3ea7eb4d73ff81db8f7a5875df1

Download Submit
C:\Windows\svchost.exe

Filesize
641KB

MD5
41cbc5472f5c25e6874889c471112488

SHA1
4422e7816035d05bdaec18962df7867a0d1dcc64

SHA256
9f203b82f1893938c5d2eb68468005caeeb10b098535c75d3ed67c2ca79151a6

SHA512
4fdea28d7b85c09eabf01f16eca8d852f0f97cc6239bbe7edb2ee21180002b8cd46237fdf148c90df3934530442e9a03ae3ee94b3e2d37340f61317b6d3f6636

Download Submit
memory/1744-12-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/1744-2-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1744-8-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1744-7-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1744-6-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/1744-5-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/1744-4-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1744-13-0x00000000032C0000-0x00000000032C3000-memory.dmp

Filesize
12KB

Download
memory/1744-14-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1744-11-0x00000000032C0000-0x00000000033C0000-memory.dmp

Filesize
1024KB

Download
memory/1744-9-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1744-0-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1744-3-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1744-18-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/1744-17-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1744-16-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1744-15-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/1744-10-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/1744-32-0x0000000001E20000-0x0000000001E74000-memory.dmp

Filesize
336KB

Download
memory/1744-1-0x0000000001E20000-0x0000000001E74000-memory.dmp

Filesize
336KB

Download
memory/1744-31-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2864-22-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2864-34-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing