c2781a41de812465f228cfa448ce47bebf323550c14b8305008dd6ab807326a8

General

Target

5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe
Size

389KB
MD5

5b56bea85dc9c08ada5aab10c6d06609
SHA1

00e8e7e72738ef68d8b767881bcc2209cc196d55
SHA256

c2781a41de812465f228cfa448ce47bebf323550c14b8305008dd6ab807326a8
SHA512

9fa8dc161c2e25dc8e6d08abd0312d63c8e0dcb7753d1541d2c8ce8a526ee874bdb17eec3dfa8e3b6ebb77c32839a469a2339be659c31db1b91a973a883c658f
SSDEEP

6144:OHt6CApubZy5NrLaT31INuRMhYGQ/89jicQwJtTGwWmlSYlRvmGHmu:OHtqpeA5FLaT31Dkil+TGwWlYX+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 2828	2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe
2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe
2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 336	2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe	2
PID 2508 wrote to memory of 2828	2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2828	2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2828	2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2828	2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe	30
PID 2508 wrote to memory of 2828	2508	5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe	30
PID 336 wrote to memory of 848	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b56bea85dc9c08ada5aab10c6d06609_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
7a75f1e0afd408180b328facaf20faf0

SHA1
d75cfbe342842a380cc3a2dce384630b23070b1e

SHA256
c8baa8d669c8c9943bb255b3174fed44277b96a3c70611c0595b719cad630377

SHA512
e35d7ba1eec9c38e972d140474cb53c4eb654929a609df5832d25224b44be5cea46fb9c1f0a2d386b87e1d15ad6e9a78fc50ceb6040d1001e88f95cb4ab44fb8

Download Submit
memory/336-33-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/336-32-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/336-25-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/336-26-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/336-27-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/848-44-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/848-43-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/848-48-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/848-46-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/848-47-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/848-35-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/848-39-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/2508-14-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/2508-9-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/2508-5-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/2508-31-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2508-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2508-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2508-13-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/2508-19-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/2508-15-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2508-16-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download
memory/2508-18-0x00000000026C0000-0x0000000002705000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing