69fddd7d5610aaf5c007a7bf4d42ccec1f0ee2d6f33e3a3e5d1caac5be483ce1

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 19:37

Target

f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
Size

32KB
MD5

f1c3f3fd59134c31b3448774b293bf95
SHA1

e9115855617c9c1bbd1e9d2fa6e0d6fecc803e6c
SHA256

69fddd7d5610aaf5c007a7bf4d42ccec1f0ee2d6f33e3a3e5d1caac5be483ce1
SHA512

28fc259b9253049d741e7fe0cfb14704d2e0a08991801989727109896d27608a48081f123c18176d959ce841c62575fb61e773f959ce9bc6729dbf7a943993ed
SSDEEP

768:4T4wO+LokS0JARrVibDdPNfLxdGGVRSnZj5gjvb:wOaqrVSfq55ub

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2072	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1700	WinHelp32.exe

Loads dropped DLL 2 IoCs

pid	Process
2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHelp32.exe	WinHelp32.exe
File created	C:\Windows\SysWOW64\WinHelp32.exe	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinHelp32.exe	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1700	WinHelp32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1700	2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1700	2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1700	2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1700	2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	28
PID 2300 wrote to memory of 2072	2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	29
PID 2300 wrote to memory of 2072	2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	29
PID 2300 wrote to memory of 2072	2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	29
PID 2300 wrote to memory of 2072	2300	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2800	1700	WinHelp32.exe	30
PID 1700 wrote to memory of 2800	1700	WinHelp32.exe	30
PID 1700 wrote to memory of 2800	1700	WinHelp32.exe	30
PID 1700 wrote to memory of 2800	1700	WinHelp32.exe	30

C:\Users\Admin\AppData\Local\Temp\f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\WinHelp32.exe
  "C:\Windows\system32\WinHelp32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WINHEL~1.EXE > nul
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\F1C3F3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2072

\Windows\SysWOW64\WinHelp32.exe

Filesize
32KB

MD5
f1c3f3fd59134c31b3448774b293bf95

SHA1
e9115855617c9c1bbd1e9d2fa6e0d6fecc803e6c

SHA256
69fddd7d5610aaf5c007a7bf4d42ccec1f0ee2d6f33e3a3e5d1caac5be483ce1

SHA512
28fc259b9253049d741e7fe0cfb14704d2e0a08991801989727109896d27608a48081f123c18176d959ce841c62575fb61e773f959ce9bc6729dbf7a943993ed

Download Submit