9678948e21027247d80264c524f3b88e71a83393e15dd9e42b20b9bda9759603

General

Target

5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
Size

16KB
MD5

5eac2c707c748434b14993582f62a679
SHA1

df603f3d98ed574a72c54415b22be65cb9cf6cf2
SHA256

9678948e21027247d80264c524f3b88e71a83393e15dd9e42b20b9bda9759603
SHA512

b02143f296e4efc2db698fd8bffc48144712259ba1cb6c4520377e9263dec1cc2f19a2cefbf3430d7be524e6a38f31d3a2e9bc66aadcad4c8295af3cad3a0e10
SSDEEP

192:ofzy2j9N/lfXNnITBrnOHbFGOPx1Q5ubiOPqr/M8HyaoVdmnYQdR:Yzy25NF9nc5nQJ1Q5ubiND8Vdmh

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aksuser.dll	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aksuser.dll	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\delksuser.dll	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2932	sc.exe
2208	sc.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2944	taskkill.exe
2060	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1100	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	30
PID 2152 wrote to memory of 1100	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	30
PID 2152 wrote to memory of 1100	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	30
PID 2152 wrote to memory of 1100	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	30
PID 2152 wrote to memory of 2208	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2208	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2208	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2208	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2060	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	32
PID 2152 wrote to memory of 2060	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	32
PID 2152 wrote to memory of 2060	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	32
PID 2152 wrote to memory of 2060	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	32
PID 2152 wrote to memory of 2932	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	33
PID 2152 wrote to memory of 2932	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	33
PID 2152 wrote to memory of 2932	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	33
PID 2152 wrote to memory of 2932	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	33
PID 2152 wrote to memory of 2944	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	34
PID 2152 wrote to memory of 2944	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	34
PID 2152 wrote to memory of 2944	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	34
PID 2152 wrote to memory of 2944	2152	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	34
PID 1100 wrote to memory of 1212	1100	net.exe	40
PID 1100 wrote to memory of 1212	1100	net.exe	40
PID 1100 wrote to memory of 1212	1100	net.exe	40
PID 1100 wrote to memory of 1212	1100	net.exe	40

C:\Users\Admin\AppData\Local\Temp\5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5eac2c707c748434b14993582f62a679_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:1212
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im soul.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:2932
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im zeroonline.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2944