70ddb013e92765b03bf48692a515082a9c343ec86124ac631266517b40b7a69a

General

Target

f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe
Size

905KB
MD5

f8b2caa2d6db38de32b9626a3b0f9dff
SHA1

0e60bcac8324de0199ead858dd5334a4accbf02d
SHA256

70ddb013e92765b03bf48692a515082a9c343ec86124ac631266517b40b7a69a
SHA512

488381acfb335930e94502a480d80671d65502fbeb95522664b0ef2406123f456c275051036680c96a060b9da946ba68e53375cd479ecf134f4d047566a9b21b
SSDEEP

12288:Cgfe07KFML7iLMucoUe7dG1lFlWcYT70pxnnaaoawnjKgRRA8rZNrI0AilFEvxHG:jtY4MROxnFbgHLrZlI0AilFEvxHina2

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

Processes:

f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly	f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 4764 wrote to memory of 2752	4764	f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe	csc.exe
PID 4764 wrote to memory of 2752	4764	f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe	csc.exe
PID 2752 wrote to memory of 4320	2752	csc.exe	cvtres.exe
PID 2752 wrote to memory of 4320	2752	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8b2caa2d6db38de32b9626a3b0f9dff_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfizte32.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7437.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7436.tmp"
    3⤵
    PID:4320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7437.tmp

Filesize
1KB

MD5
00083f41911918860fad11257addebf3

SHA1
2b8d82547e52f1668bce22cca66dea2075b909d1

SHA256
a5739d7d46590568993aa18685477069a86ba3f5502ee8f3b88c13c68ad829e5

SHA512
490940888f21e0f3a09df25d970408af5ec73b0eca3f86d7d445138feb5e14c94d835cd523922f30abfa37fc18f092cd04f2866b5995b0ece3c00511cc084fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfizte32.dll

Filesize
76KB

MD5
7aac35164ccdfd07368e3a05e5cc08e2

SHA1
cb7e8369a3b2e3bf0e4e1a53ff84c99d98682883

SHA256
b127a94c85323ef76e91447a93e900cf0ea138acc4c5a56a9782313c170f0244

SHA512
0295b0fd729ec4c30418820b127d1a2ae00d58bb31ee0f0ec4c03b6876f14bd780455b822c93c2fd36cce90236316f7d1cef26376ef698702fa32c3223821e44

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7436.tmp

Filesize
676B

MD5
9133403e5ba467e97d4a154170558b5a

SHA1
21b234e67fcc0d273e8ad08b4f0e4362dd236a80

SHA256
e6600cf48c27f2ed2ca5adac08c50091dd093979052fe623deabc97e849c97f3

SHA512
dba27dbbbc31df69e466b6b377ad9435fda80baa40e9d6c8465da0b3b494a98880b53ae0017b15746df4cd50fd240ce968892b29e1ba0ec759bc3a8f370ab195

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tfizte32.0.cs

Filesize
208KB

MD5
30c04f42b36c2aefe1ac405eaf25a624

SHA1
20d7d99f11c5916108dbe8ea4fe10932bdc97031

SHA256
b16f865c0736c3bd1fea92481ad6f898825e657d5a21da0ef39e047706a15a7b

SHA512
e1419fab217284898c97cd2458cbfa096932819b7e7961fabad6ef35d1b6633762e1cd4acd72b3e667b24a5f9b31043276e12d5ce0ccc240c97bc2fee1bca139

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tfizte32.cmdline

Filesize
349B

MD5
60bef124f6967a0dd0990339ee2152a7

SHA1
7c7d7cfe9139f10b593ec83f92109d34143cd564

SHA256
38689d723fbdbcee882d363ce2c34d80102909b35dbb0b477d228da6a2aad718

SHA512
5a2f99405dbc6259b0360ef7e703def68cd7deeb7f5a3046e408bcde27cec37b75fa297ab9fe15c5e8e5eec87c5b806b48db7e66faf401badb1dd5c358640ac8

Download Submit
memory/2752-21-0x00007FFFC5E80000-0x00007FFFC6821000-memory.dmp

Filesize
9.6MB

Download
memory/2752-18-0x00007FFFC5E80000-0x00007FFFC6821000-memory.dmp

Filesize
9.6MB

Download
memory/4764-7-0x000000001BB50000-0x000000001C01E000-memory.dmp

Filesize
4.8MB

Download
memory/4764-8-0x000000001C020000-0x000000001C0BC000-memory.dmp

Filesize
624KB

Download
memory/4764-0-0x00007FFFC6135000-0x00007FFFC6136000-memory.dmp

Filesize
4KB

Download
memory/4764-6-0x00007FFFC5E80000-0x00007FFFC6821000-memory.dmp

Filesize
9.6MB

Download
memory/4764-5-0x000000001B490000-0x000000001B49E000-memory.dmp

Filesize
56KB

Download
memory/4764-2-0x000000001B3A0000-0x000000001B3FC000-memory.dmp

Filesize
368KB

Download
memory/4764-23-0x000000001C4C0000-0x000000001C4D6000-memory.dmp

Filesize
88KB

Download
memory/4764-1-0x00007FFFC5E80000-0x00007FFFC6821000-memory.dmp

Filesize
9.6MB

Download
memory/4764-25-0x0000000000F30000-0x0000000000F42000-memory.dmp

Filesize
72KB

Download
memory/4764-26-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/4764-27-0x00007FFFC5E80000-0x00007FFFC6821000-memory.dmp

Filesize
9.6MB

Download
memory/4764-28-0x00007FFFC5E80000-0x00007FFFC6821000-memory.dmp

Filesize
9.6MB

Download
memory/4764-29-0x00007FFFC6135000-0x00007FFFC6136000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads