47faf970d9ffbd4b00d71422c8d085031cc886cc38f954f944795919077110e8

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 08:57

Target

0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
Size

1.1MB
MD5

0e0f26990fcd9cfca701cf0a3b5453ef
SHA1

03535fcd98358f9b223198665de99b0445200151
SHA256

47faf970d9ffbd4b00d71422c8d085031cc886cc38f954f944795919077110e8
SHA512

e8ed55c83645e25afcf3e918cd59224c95df3bff3d0b701f1367ceae2542c2aa1f2d3822a3945d9f06560e3c012e7beb63831c7bf74baa46e79807863d108204
SSDEEP

24576:xqqG0ss+JPptGgRUbUrMymVxVYRdZDoHyhVr4B2+WFw2:rG0aPpUgvrMymVxV0Z8SVSD6l

Score

7^/10

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LtHgNeMqRB.url	wscript.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4920	116	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 1752	116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	98
PID 116 wrote to memory of 1752	116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	98
PID 116 wrote to memory of 1752	116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	98
PID 1752 wrote to memory of 1628	1752	cmd.exe	100
PID 1752 wrote to memory of 1628	1752	cmd.exe	100
PID 1752 wrote to memory of 1628	1752	cmd.exe	100
PID 116 wrote to memory of 4140	116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	101
PID 116 wrote to memory of 4140	116	0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe	101

C:\Users\Admin\AppData\Local\Temp\0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\ADwXcSSGvY\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\ADwXcSSGvY\r.vbs"
    3⤵
    - Drops startup file
    PID:1628
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\ADwXcSSGvY\cfgi"
  2⤵
  PID:4140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1216
  2⤵
  - Program crash
  PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 116 -ip 116
1⤵
PID:2928

C:\ProgramData\ADwXcSSGvY\r.vbs

Filesize
664B

MD5
93b9bfbc16702b4a580b1b10ade41669

SHA1
c46af90cfafaa8feff2a9c1563a2da73b6f9bf96

SHA256
e14122ddfd187d32e2cf73411a885bc2fae9990ed719d162b8081b92f1419d28

SHA512
ee19ac86906445d342a2d0c024dee7dd8729cc1cc3d7172dbe3fd37cb70fc732d7feba639f06382a4e678a6adcea1eb18a01b3588c9823e2450791723c84752a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LtHgNeMqRB.url

Filesize
75B

MD5
2b379682588c1bcb623e04d20869a310

SHA1
bdab53a1491407f835c38bf817f62b43713abd37

SHA256
854654abacce4466699d85a84e4998e1e984219e6ce5763596be2471186c7ef6

SHA512
08f721ad3bee99d7543b1f86bc22f9b9c5e11d56f9f7ee1666e161daf109d97db02741443f324c0f5d653cbd398c032d7258981887f2f76c8e007803e3791b02

Download Submit
memory/116-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/116-0-0x00000000022F0000-0x00000000023F7000-memory.dmp

Filesize
1.0MB

Download
memory/116-2-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/116-15-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/116-16-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download