fbd6416060e3d446088838ec17fdc5b2238e76689956a5e6dd01091e77dba81f

General

Target

42294ecb2e499533c8db16025cc901b6_JaffaCakes118.dll
Size

322KB
MD5

42294ecb2e499533c8db16025cc901b6
SHA1

baa6d0c81cbdb5a5e6bb2699f0917bb40c9569f0
SHA256

fbd6416060e3d446088838ec17fdc5b2238e76689956a5e6dd01091e77dba81f
SHA512

0cda76436352cc3a30a1adb33f55a608e158fb4599859be5c9fcca1d22bf909bd3d0100ffb0a22c098e515ec98cbc57bb4d5fab36448b94a2df0ec88cca140af
SSDEEP

3072:pXP/MN1yX++VjZf5gGmXKlOJ7UgiypovUjBlk8LKXknmi/HljH+G5MLBAxn25TWu:pf03yX++VjZm6sd74i/4GLnYyYDJXT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
332	csrss.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2324	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	rundll32.exe
Token: SeDebugPrivilege	2324	rundll32.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2324	2900	rundll32.exe	30
PID 2900 wrote to memory of 2324	2900	rundll32.exe	30
PID 2900 wrote to memory of 2324	2900	rundll32.exe	30
PID 2900 wrote to memory of 2324	2900	rundll32.exe	30
PID 2900 wrote to memory of 2324	2900	rundll32.exe	30
PID 2900 wrote to memory of 2324	2900	rundll32.exe	30
PID 2900 wrote to memory of 2324	2900	rundll32.exe	30
PID 2324 wrote to memory of 332	2324	rundll32.exe	2
PID 2324 wrote to memory of 2904	2324	rundll32.exe	31
PID 2324 wrote to memory of 2904	2324	rundll32.exe	31
PID 2324 wrote to memory of 2904	2324	rundll32.exe	31
PID 2324 wrote to memory of 2904	2324	rundll32.exe	31
PID 332 wrote to memory of 2760	332	csrss.exe	32
PID 332 wrote to memory of 2760	332	csrss.exe	32
PID 332 wrote to memory of 860	332	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:860
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2760

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\42294ecb2e499533c8db16025cc901b6_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\42294ecb2e499533c8db16025cc901b6_JaffaCakes118.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
c7ab2d82fa6ab38f870d6ce033e9ed31

SHA1
61d54cea377f4b8efdd233500fd775da25be43a2

SHA256
7dac47d9ee09cbf00b210726e4b3fa69c386d24794e00d81131ba1b5339a2e38

SHA512
55d02a6786b6b38c83e2b9f22da14d1501ad7798e27bd0129a2fdd837e2228bb213c887decaf0611def7d282455afd37226ae8ad58f991d8f0c9edd81c56edc6

Download Submit
memory/332-22-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/332-31-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/332-30-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/332-25-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/332-24-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/860-41-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/860-33-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/860-46-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/860-44-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/860-45-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/860-37-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/860-42-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/2324-8-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2324-0-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2324-28-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/2324-29-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2324-3-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/2324-2-0x0000000000171000-0x0000000000174000-memory.dmp

Filesize
12KB

Download
memory/2324-12-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2324-4-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2324-14-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2324-13-0x0000000000170000-0x00000000001C3000-memory.dmp

Filesize
332KB

Download
memory/2324-15-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2324-16-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2324-1-0x0000000000170000-0x00000000001C3000-memory.dmp

Filesize
332KB

Download
memory/2324-17-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing