7be650c7772b42460dae78173c846fc028279b7d6aa8db33665daee657762c08

General

Target

8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
Size

121KB
MD5

8be14baf1c6be4481c51ed20ca49d3ca
SHA1

e64db44ac7528836df0d8ca6b6dc697265d79376
SHA256

7be650c7772b42460dae78173c846fc028279b7d6aa8db33665daee657762c08
SHA512

30f7571182e08aaebdc2edff98a8305d16bf5bb184bc71f9e6506bb8968b0818be6781d8e35cc0d28bffdc47ee2e67a822be5007e745ac28adf4cfa1a4a6cebd
SSDEEP

1536:JAn0oppM4wDXMGpPK+F647mZ5CeCsybRXvZ+8JwocOdGjizaEoLaGVP:C1ppM48XMGg+5W5BCx7UGGTzl

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 556 set thread context of 4972	556	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	85
PID 4972 set thread context of 2880	4972	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	87

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
Token: SeDebugPrivilege	4972	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
Token: SeDebugPrivilege	2880	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 452	556	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	84
PID 556 wrote to memory of 452	556	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	84
PID 556 wrote to memory of 4972	556	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	85
PID 556 wrote to memory of 4972	556	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	85
PID 556 wrote to memory of 4972	556	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	85
PID 556 wrote to memory of 4972	556	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	85
PID 556 wrote to memory of 4972	556	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	85
PID 4972 wrote to memory of 4452	4972	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	86
PID 4972 wrote to memory of 4452	4972	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	86
PID 4972 wrote to memory of 2880	4972	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	87
PID 4972 wrote to memory of 2880	4972	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	87
PID 4972 wrote to memory of 2880	4972	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	87
PID 4972 wrote to memory of 2880	4972	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	87
PID 4972 wrote to memory of 2880	4972	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	87
PID 2880 wrote to memory of 800	2880	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	88
PID 2880 wrote to memory of 800	2880	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	88
PID 2880 wrote to memory of 1556	2880	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	89
PID 2880 wrote to memory of 1556	2880	8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
  2⤵
  PID:452
- C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
    3⤵
    PID:4452
- - C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
      4⤵
      PID:800
  - - C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe
      4⤵
      PID:1556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\8be14baf1c6be4481c51ed20ca49d3ca_JaffaCakes118.exe.log

Filesize
224B

MD5
1e4f2a29e11dead55e61329942cd2b14

SHA1
4b3ec9b98797d2f734d67b47cc149546f21cf0af

SHA256
28bbb0da12bd69adc9df324c01392655b788115aba7466f02c23e1ba09f789d4

SHA512
2e28227d898486bfe1cea081df486464b214df50500786e30d6ee9e7d6391f3aacd2f1ed1d0eab60d518bbc79f20f32c226f00ffd70abfe9af45a746cb08416c

Download Submit
memory/556-0-0x00007FFC8D115000-0x00007FFC8D116000-memory.dmp

Filesize
4KB

Download
memory/556-1-0x00007FFC8CE60000-0x00007FFC8D801000-memory.dmp

Filesize
9.6MB

Download
memory/556-2-0x000000001BFD0000-0x000000001C076000-memory.dmp

Filesize
664KB

Download
memory/556-5-0x00007FFC8CE60000-0x00007FFC8D801000-memory.dmp

Filesize
9.6MB

Download
memory/2880-11-0x00007FFC8CE60000-0x00007FFC8D801000-memory.dmp

Filesize
9.6MB

Download
memory/2880-10-0x00007FFC8CE60000-0x00007FFC8D801000-memory.dmp

Filesize
9.6MB

Download
memory/2880-8-0x00007FFC8CE60000-0x00007FFC8D801000-memory.dmp

Filesize
9.6MB

Download
memory/4972-6-0x00007FFC8CE60000-0x00007FFC8D801000-memory.dmp

Filesize
9.6MB

Download
memory/4972-7-0x00007FFC8CE60000-0x00007FFC8D801000-memory.dmp

Filesize
9.6MB

Download
memory/4972-9-0x00007FFC8CE60000-0x00007FFC8D801000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads