2ffee4f8944dd5d8cb197da1f91cc85e453471b555b854f83a32c5b380d1a071

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 04:07

Target

fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe
Size

711KB
MD5

fbe43fc93b56d678f5b6d33f3b0d65b0
SHA1

2f76eee1c752d3894cdbb52841bd08fb0d20ddc1
SHA256

2ffee4f8944dd5d8cb197da1f91cc85e453471b555b854f83a32c5b380d1a071
SHA512

3ca078f44dbccb5c65d7a4c5b1f7e25167f7bd883ceaed45bf9d4cf8795da192b0052c3b0f3d10855e88d5cd667864ecd88e0114e4e027756c1ce5181f1d702c
SSDEEP

12288:0MViJAFvKqrhxrVsVpp7gx6v6XzD/Dgg6P7EBf8tsMm9nAO3BT5UyFLD:hiKFv5jsHp7iXzDaP7+6O3B9FP

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2372	servers.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 2552	2372	servers.exe	29

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\servers.exe	fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe
File opened for modification	C:\Windows\servers.exe	fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe
Token: SeDebugPrivilege	2372	servers.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2552	2372	servers.exe	29
PID 2372 wrote to memory of 2552	2372	servers.exe	29
PID 2372 wrote to memory of 2552	2372	servers.exe	29
PID 2372 wrote to memory of 2552	2372	servers.exe	29
PID 2372 wrote to memory of 2552	2372	servers.exe	29
PID 2372 wrote to memory of 2552	2372	servers.exe	29

C:\Windows\servers.exe
C:\Windows\servers.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:2552

C:\Windows\servers.exe

Filesize
711KB

MD5
fbe43fc93b56d678f5b6d33f3b0d65b0

SHA1
2f76eee1c752d3894cdbb52841bd08fb0d20ddc1

SHA256
2ffee4f8944dd5d8cb197da1f91cc85e453471b555b854f83a32c5b380d1a071

SHA512
3ca078f44dbccb5c65d7a4c5b1f7e25167f7bd883ceaed45bf9d4cf8795da192b0052c3b0f3d10855e88d5cd667864ecd88e0114e4e027756c1ce5181f1d702c

Download Submit
memory/1720-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1720-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1720-14-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2372-5-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2372-6-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2372-15-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2552-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-10-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2552-12-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download