72207f291b9e88a8ab5910773ac8c11b53f0646cf840f89e220a7bf1d2f1ee86

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 11:56

Target

e27d70c83690a92a9e6759763fa814e7_JaffaCakes118.exe
Size

16KB
MD5

e27d70c83690a92a9e6759763fa814e7
SHA1

27eeb9b00c0e49ef489f1535c8442f288def2e0b
SHA256

72207f291b9e88a8ab5910773ac8c11b53f0646cf840f89e220a7bf1d2f1ee86
SHA512

f094a938712e1640b6c4ea15d917672a4dd50105044ae955b424447b509facbd3b7368412ccd1d15834258764078376269530daa0a9a447fcc00b62207205aa6
SSDEEP

384:X4YLk+COgc5XW8liKNpY0BXjbtw3Ge6RiIuYeVjal/4:X4DW5XW8YAptwabRog

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1608	spoolsrv32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1548-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/1548-6-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/files/0x000800000002321b-5.dat	upx
behavioral2/memory/1608-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1608-8-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spoolsrv32.exe	e27d70c83690a92a9e6759763fa814e7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srpcsrv32.dll	e27d70c83690a92a9e6759763fa814e7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1608	spoolsrv32.exe
1608	spoolsrv32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	spoolsrv32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1608	1548	e27d70c83690a92a9e6759763fa814e7_JaffaCakes118.exe	86
PID 1548 wrote to memory of 1608	1548	e27d70c83690a92a9e6759763fa814e7_JaffaCakes118.exe	86
PID 1548 wrote to memory of 1608	1548	e27d70c83690a92a9e6759763fa814e7_JaffaCakes118.exe	86

C:\Windows\SysWOW64\spoolsrv32.exe

Filesize
8KB

MD5
bb3ed63a961761be10ed02747ceaa987

SHA1
895a93d05702b87c4f34652e35d1afd940169312

SHA256
a1773a0b4595ea44a5c4b0de76b140263796904a8e1c609f58308bc35d1e3ee0

SHA512
61cd4c184e6ee3dc2cf3119764e4e57c5c27b0887835b8234dc244808ed9da19cb546fff488c3493655aa178977b6a9ba1bd99f08e99a397ea21049d635f53d4

Download Submit
memory/1548-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1548-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1608-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1608-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download