69fddd7d5610aaf5c007a7bf4d42ccec1f0ee2d6f33e3a3e5d1caac5be483ce1

Analysis

max time kernel
125s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 19:37

Target

f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
Size

32KB
MD5

f1c3f3fd59134c31b3448774b293bf95
SHA1

e9115855617c9c1bbd1e9d2fa6e0d6fecc803e6c
SHA256

69fddd7d5610aaf5c007a7bf4d42ccec1f0ee2d6f33e3a3e5d1caac5be483ce1
SHA512

28fc259b9253049d741e7fe0cfb14704d2e0a08991801989727109896d27608a48081f123c18176d959ce841c62575fb61e773f959ce9bc6729dbf7a943993ed
SSDEEP

768:4T4wO+LokS0JARrVibDdPNfLxdGGVRSnZj5gjvb:wOaqrVSfq55ub

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2532	WinHelp32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHelp32.exe	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinHelp32.exe	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WinHelp32.exe	WinHelp32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1284	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2532	WinHelp32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2532	1284	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	90
PID 1284 wrote to memory of 2532	1284	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	90
PID 1284 wrote to memory of 2532	1284	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	90
PID 1284 wrote to memory of 3704	1284	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	91
PID 1284 wrote to memory of 3704	1284	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	91
PID 1284 wrote to memory of 3704	1284	f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe	91
PID 2532 wrote to memory of 868	2532	WinHelp32.exe	92
PID 2532 wrote to memory of 868	2532	WinHelp32.exe	92
PID 2532 wrote to memory of 868	2532	WinHelp32.exe	92

C:\Users\Admin\AppData\Local\Temp\f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\WinHelp32.exe
  "C:\Windows\system32\WinHelp32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WINHEL~1.EXE > nul
    3⤵
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\F1C3F3~1.EXE > nul
  2⤵
  PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5124,i,540641839538766847,13082202367948907577,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:3856

C:\Windows\SysWOW64\WinHelp32.exe

Filesize
32KB

MD5
f1c3f3fd59134c31b3448774b293bf95

SHA1
e9115855617c9c1bbd1e9d2fa6e0d6fecc803e6c

SHA256
69fddd7d5610aaf5c007a7bf4d42ccec1f0ee2d6f33e3a3e5d1caac5be483ce1

SHA512
28fc259b9253049d741e7fe0cfb14704d2e0a08991801989727109896d27608a48081f123c18176d959ce841c62575fb61e773f959ce9bc6729dbf7a943993ed

Download Submit