c7a9127aec675f686eb2da0a205b0eee713ecb380b27c071ab2313e1e725df6f

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 19:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe
Size

3.2MB
MD5

f67b891a5bfd1bc6600708a56db34ff1
SHA1

ccd7a87525ec4fca7145deb5efd1fa249cc3ac85
SHA256

c7a9127aec675f686eb2da0a205b0eee713ecb380b27c071ab2313e1e725df6f
SHA512

7cd91054ae0be8361d1cbb2bfc3341b8d9488888a50d3d552a26f7dec585262ed564ef15271a8b04f560590173535bdcb399d7d97b63ac056bf559910c6653ce
SSDEEP

49152:hcW4f6wJoizrEEQabucQ9vwjWp7iUOtBXOn0wxWPRUaP7x7Bjq3+D:hX4SwSbHabCvwjWGtA0wOyazx1z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2860	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp
2968	utPjaNHwdqOLtuU.exe

Loads dropped DLL 2 IoCs

pid	Process
2196	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe
2860	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2968	utPjaNHwdqOLtuU.exe
Token: SeSecurityPrivilege	2968	utPjaNHwdqOLtuU.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2860	2196	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2860	2196	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2860	2196	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2860	2196	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2860	2196	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2860	2196	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2860	2196	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe	28
PID 2860 wrote to memory of 2968	2860	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp	29
PID 2860 wrote to memory of 2968	2860	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp	29
PID 2860 wrote to memory of 2968	2860	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp	29
PID 2860 wrote to memory of 2968	2860	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp	29
PID 2860 wrote to memory of 2968	2860	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp	29
PID 2860 wrote to memory of 2968	2860	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp	29
PID 2860 wrote to memory of 2968	2860	f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp	29

C:\Users\Admin\AppData\Local\Temp\f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\is-I15M9.tmp\f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-I15M9.tmp\f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp" /SL5="$400EC,2654744,721408,C:\Users\Admin\AppData\Local\Temp\f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\is-0RNSC.tmp\utPjaNHwdqOLtuU.exe
    "C:\Users\Admin\AppData\Local\Temp\is-0RNSC.tmp\utPjaNHwdqOLtuU.exe" 82dac3da447c8428999f1b05ebe4de76
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-0RNSC.tmp\utPjaNHwdqOLtuU.exe

Filesize
2.1MB

MD5
c6cca9284ade0a87009a36c0499e089f

SHA1
613f1b9fedbc5da2b74ce38ffac55692b166b4b2

SHA256
6ce98b193e44d85813918b15741e75a0c67f5da2d5480298ef11ea3950047abe

SHA512
440131852152e44f49ca743452a9def4b47b8a7f12d25d2c1402f4148dffb80a7900c7f0e13cf2cb8e1902088181813edd8e980528ef187c727babe38eb6e87d

Download Submit
\Users\Admin\AppData\Local\Temp\is-I15M9.tmp\f67b891a5bfd1bc6600708a56db34ff1_JaffaCakes118.tmp

Filesize
2.4MB

MD5
8e2d270339dcd0a68fbb2f02a65d45dd

SHA1
bfcdb1f71692020858f96960e432e94a4e70c4a4

SHA256
506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

SHA512
31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

Download Submit
memory/2196-41-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2196-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2196-17-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2860-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2860-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2860-39-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2860-18-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2968-16-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2968-19-0x0000000000400000-0x0000000002426000-memory.dmp

Filesize
32.1MB

Download
memory/2968-15-0x0000000000400000-0x0000000002426000-memory.dmp

Filesize
32.1MB

Download
memory/2968-14-0x0000000000400000-0x0000000002426000-memory.dmp

Filesize
32.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads