22f7a9926c6a906a4b5d54810cc2de5ebf4a8899c9728e9ea4069b334a365fed

General

Target

63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe
Size

187KB
MD5

63893203f58fc641c0bc09b6b925ce39
SHA1

a8ea7105dd766f912f038e1001fa994583ed4413
SHA256

22f7a9926c6a906a4b5d54810cc2de5ebf4a8899c9728e9ea4069b334a365fed
SHA512

9cab21495410cf92b19f69cc786aa2030c9ce9d0a8ec6f6b8f2a9d121371962bbacbc65acd5c4c0cc32554cb535d5d4de98fb5f09db46f59b378bdcc85192711
SSDEEP

3072:l2OJOFSUwUyKfM5Iq48bwfeQ0hF/fYmdbxGZlcy9wKC50sNj7NpcEt0:l4FKXqMzbwJ0hhhbx22y5C50sd7U9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 2924	924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe	29

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe
924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe
924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe
924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe
Token: SeDebugPrivilege	924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 1252	924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe	20
PID 924 wrote to memory of 336	924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe	2
PID 924 wrote to memory of 2924	924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe	29
PID 924 wrote to memory of 2924	924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe	29
PID 924 wrote to memory of 2924	924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe	29
PID 924 wrote to memory of 2924	924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe	29
PID 924 wrote to memory of 2924	924	63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe	29
PID 336 wrote to memory of 836	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:836

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\63893203f58fc641c0bc09b6b925ce39_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
3ba387c7fbab7c1e02846b9c1d9b1331

SHA1
f03095c4bb9e40b431215a14667538495ff1e019

SHA256
d163de45870a45f568d28e0397ea63c9cb4e7d1996de603688324a4e17c333a4

SHA512
333ccc840ad7d6fe856cb0eaa6aec93391e22868a9abec02c681ab3963b01b3f03ba56c3289e4ed48f391fef8ed0fa054d35d56c6300eb3bab6805c5ebaf2956

Download Submit
memory/336-21-0x0000000002140000-0x0000000002151000-memory.dmp

Filesize
68KB

Download
memory/336-20-0x0000000002140000-0x0000000002151000-memory.dmp

Filesize
68KB

Download
memory/336-29-0x0000000002140000-0x0000000002151000-memory.dmp

Filesize
68KB

Download
memory/336-18-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/836-40-0x00000000008D0000-0x00000000008DB000-memory.dmp

Filesize
44KB

Download
memory/836-31-0x00000000008C0000-0x00000000008CB000-memory.dmp

Filesize
44KB

Download
memory/836-42-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/836-43-0x00000000008D0000-0x00000000008DB000-memory.dmp

Filesize
44KB

Download
memory/836-35-0x00000000008C0000-0x00000000008CB000-memory.dmp

Filesize
44KB

Download
memory/836-44-0x00000000008D0000-0x00000000008DB000-memory.dmp

Filesize
44KB

Download
memory/836-39-0x00000000008C0000-0x00000000008CB000-memory.dmp

Filesize
44KB

Download
memory/924-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/924-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/924-25-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/924-1-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/924-3-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/924-2-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/924-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1252-12-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/1252-13-0x0000000002200000-0x0000000002202000-memory.dmp

Filesize
8KB

Download
memory/1252-8-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/1252-4-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing