82188dd9683e49f65a0adb400cc7d9931f78602e71dbe3121d6d05351daa41e8

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 20:27

Target

3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe
Size

28KB
MD5

3bedec0839b94bf79d2ec7486b582853
SHA1

8122e0bebca68cba1b5cbe7c3b46b2119ee45ed1
SHA256

82188dd9683e49f65a0adb400cc7d9931f78602e71dbe3121d6d05351daa41e8
SHA512

f336f4e31647cb549bf9b3747a53fa4f4870191a96eb4a10a1bdeef85fddd0c8c261378e88c462e8ac060cc75eef519010a2feb731e5c9ad3f6df101dcb05555
SSDEEP

384:DpVXS3ePXDNRduIJRdYVceYLZpXAt8bf3mowm:lhSubNRduWYWNv

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe
2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\smss.exe	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe
File opened for modification	C:\Program Files\smss.exe	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2880	2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2880	2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2880	2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2880	2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2560	2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe	29
PID 2856 wrote to memory of 2560	2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe	29
PID 2856 wrote to memory of 2560	2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe	29
PID 2856 wrote to memory of 2560	2856	3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3bedec0839b94bf79d2ec7486b582853_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Program Files\smss.exe
  "C:\Program Files\smss.exe"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3BEDEC~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

\Program Files\smss.exe

Filesize
15.7MB

MD5
098187a63ac62b84670e09ee6fe5980b

SHA1
71bdc7533bec8ff472eb9de0c9187b3496a64777

SHA256
faa47a28688788becf6c874d5399baf9090b2ac8bff7966450195b474aee33e2

SHA512
a4d5e3ee4634fdd8d4a0724036c213b2279f7641b0b4f82aa607164356c2cc5bdee706f229f821c64713bbed19f1bcffc3b4e5b3366a39ba912b4a8ab2ed921e

Download Submit