c77ba4022846e7e59066d6c7021a9a272056b1b2e445072ad209f37bfb061e20

Analysis

max time kernel
145s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 13:01

Target

17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
Size

2.0MB
MD5

17cb20331d11f4cf3003f4e9bbb5b98a
SHA1

54355e68a195734f6169c9ed930f7aae6a0ee9ce
SHA256

c77ba4022846e7e59066d6c7021a9a272056b1b2e445072ad209f37bfb061e20
SHA512

4a98ca40d7e9caf96de083cd054108cda317f4d066b722f3a4a0bf5e2706d2a23a907db0fc554fe1cb38e0fd385edf65362a2352ab2a65460bd44f239c2fe3c5
SSDEEP

49152:iLSNBo4po43R53O90CRJfMGJXvirT5xfhO50Y+azY6KH:OL4Xh5+mw9yA0Ta8H

Score

7^/10

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AHZSVhvnGm.url	wscript.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4456	2028	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 5012	2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	102
PID 2028 wrote to memory of 5012	2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	102
PID 2028 wrote to memory of 5012	2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	102
PID 5012 wrote to memory of 4168	5012	cmd.exe	104
PID 5012 wrote to memory of 4168	5012	cmd.exe	104
PID 5012 wrote to memory of 4168	5012	cmd.exe	104
PID 2028 wrote to memory of 4016	2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	105
PID 2028 wrote to memory of 4016	2028	17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe	105

C:\Users\Admin\AppData\Local\Temp\17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17cb20331d11f4cf3003f4e9bbb5b98a_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\pBSiTUERTJ\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\pBSiTUERTJ\r.vbs"
    3⤵
    - Drops startup file
    PID:4168
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\pBSiTUERTJ\cfgi"
  2⤵
  PID:4016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1224
  2⤵
  - Program crash
  PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2028 -ip 2028
1⤵
PID:4184

C:\ProgramData\pBSiTUERTJ\r.vbs

Filesize
658B

MD5
025c9749abe9961e40cd4068e2cc047d

SHA1
0fb7858f65a1ceb1dc8da122aa1bfe55314e88b0

SHA256
536cb727392e341d79693075242da5d4865007503183674a367a8174ccc1b01f

SHA512
a8eea7949d791fb4e401a3982a56cb26e93a902a68b85ddf6197ed4fd7ebf51c1b51cccbedda1408be4abe7737b918b0130f7c21fc700b07e0e5bf33fa6411cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AHZSVhvnGm.url

Filesize
72B

MD5
1242379032e0a71b0cc5e4aefe5be941

SHA1
fefdc6b0833795dceccf530aa0def4b2c0d686a1

SHA256
5194877bf348f0d6fb86827ed3af109c8077b05f9c95473dc166b61b95344a42

SHA512
f5fef05beab85f402c22dc8671a6b547c9cece06f96ee621c061dd1dfb1111307fa063001dde617c070b6d13ebc411315c1074f673763b1d35bfbaf86a0127cc

Download Submit
memory/2028-1-0x0000000002450000-0x0000000002616000-memory.dmp

Filesize
1.8MB

Download
memory/2028-2-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2028-3-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2028-5-0x0000000002450000-0x0000000002616000-memory.dmp

Filesize
1.8MB

Download
memory/2028-6-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2028-18-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2028-19-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download