abab4575620aa466b3421de5ace347708d907b758ac4c06b55e9a2181d2b2908

General

Target

5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe
Size

190KB
MD5

5fab40e74f979c5d432e814d4f08f743
SHA1

ab71ff8a582529bde25ecb51332a093fdf9661e3
SHA256

abab4575620aa466b3421de5ace347708d907b758ac4c06b55e9a2181d2b2908
SHA512

6140210348bc7b0278253f12c463c56b77ba72ad1357e341c68ea0aa22d02aa848581388ca5735513e4e7fc1af97d3456deb3b11c0491afed0d52f54a24d20bb
SSDEEP

3072:D00boXeanH+6wZCkcC78L0QcI3ZMcbn35zl3WdCZDqPv:40sTe6pl0QcIj3WdC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
580	systen.exe
2736	ghoct.exe
2788	tongji.exe

Loads dropped DLL 14 IoCs

pid	Process
3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe
3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe
3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe
3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe
3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2836	2736	WerFault.exe	30
2952	2788	WerFault.exe	32

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 580	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	29
PID 3068 wrote to memory of 580	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	29
PID 3068 wrote to memory of 580	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	29
PID 3068 wrote to memory of 580	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	29
PID 3068 wrote to memory of 2736	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2736	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2736	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2736	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2836	2736	ghoct.exe	31
PID 2736 wrote to memory of 2836	2736	ghoct.exe	31
PID 2736 wrote to memory of 2836	2736	ghoct.exe	31
PID 2736 wrote to memory of 2836	2736	ghoct.exe	31
PID 3068 wrote to memory of 2788	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2788	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2788	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2788	3068	5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe	32
PID 2788 wrote to memory of 2952	2788	tongji.exe	33
PID 2788 wrote to memory of 2952	2788	tongji.exe	33
PID 2788 wrote to memory of 2952	2788	tongji.exe	33
PID 2788 wrote to memory of 2952	2788	tongji.exe	33

C:\Users\Admin\AppData\Local\Temp\5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5fab40e74f979c5d432e814d4f08f743_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\systen.exe
  "C:\Users\Admin\AppData\Local\Temp\systen.exe"
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Users\Admin\AppData\Local\Temp\ghoct.exe
  "C:\Users\Admin\AppData\Local\Temp\ghoct.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2836
- C:\Users\Admin\AppData\Local\Temp\tongji.exe
  "C:\Users\Admin\AppData\Local\Temp\tongji.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 172
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\systen.exe

Filesize
28KB

MD5
b765850e13c385bd7f28081e4915078d

SHA1
2a8b1962562d4b9064b9518ff2bf0690011b56ed

SHA256
54e83640db164c035fa2a20f21fc523786fd174a0d1f667d6fb2b8acb3c8ecfe

SHA512
0614739324d7ba0c71a05d92eb7e55b810bf4b1f3daa5b79df7af0bde20a861480033fc48fd03cc9a39460a7579b013fc06ff78d0fd5cf418f586fd85b0180b7

Download Submit
\Users\Admin\AppData\Local\Temp\ghoct.exe

Filesize
39KB

MD5
62d3e446c9f2059a8f5d58038f248a2c

SHA1
b2da123d019771561b7f5d4715e29dc293af5bf8

SHA256
2b51b5fac70cd544702d14f8e4e2b0c1ff38e8eda369ac233fe43b3337078ace

SHA512
0613cd02b21e219b9359c444af343026da3005571a0274e329a537ed53d3e31bfbaa4513088b9f721525ffb7988b067c43c4b0eb78e0c3c39ecaf008a50c240f

Download Submit
\Users\Admin\AppData\Local\Temp\tongji.exe

Filesize
60KB

MD5
aee7c82b20524567d647a1a5a1602675

SHA1
6bd1740f6bc838a3c7d3fe508680244c7dd4f548

SHA256
35249fa6b7e70076fb486e4fe7b4e6d5c65acd6c6fbfcd5b904910c6ab56e683

SHA512
2090bc64410db331bf0a5faf2c3017b3a72277ad887e6778fca2f983050ce0f09d2cf970b755a8cf0d8629618ef444afad903991ca3ad005709f7f0421cc31d0

Download Submit
memory/580-11-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2736-23-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2788-46-0x0000000013150000-0x0000000013164000-memory.dmp

Filesize
80KB

Download
memory/2788-39-0x0000000013150000-0x0000000013164000-memory.dmp

Filesize
80KB

Download
memory/3068-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/3068-22-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/3068-36-0x0000000013150000-0x0000000013164000-memory.dmp

Filesize
80KB

Download
memory/3068-37-0x0000000013150000-0x0000000013164000-memory.dmp

Filesize
80KB

Download
memory/3068-17-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/3068-8-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads