6bb496439ce30e2d35847f7bcf066c5535890541328372b9d3dda38a6bfe50c8

Analysis

max time kernel
129s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe
Size

35KB
MD5

63ed01a1fc1604963f6cf8c5ba54c071
SHA1

012bb43dec2d3e8238df2ee0e683b9cb911ee1f9
SHA256

6bb496439ce30e2d35847f7bcf066c5535890541328372b9d3dda38a6bfe50c8
SHA512

3a0e0f965bc97c35cc57e348ec7f61d0aa3fb10a6a652246b01febacea70b314aca98f074705171a2d0dfc45b984a193a3f27713f3308c9a8dc5dbee2372ec82
SSDEEP

768:+K7XajaJQsxvfD7X0gOCXq3vLhcB2vurFmah564TX4xYcLdeF:nXajaJQifD7X0gD0v6vrFmah564TX4tG

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

Processes:

63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3972 63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3972	63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 3972 wrote to memory of 5116	3972	63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe	csc.exe
PID 3972 wrote to memory of 5116	3972	63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe	csc.exe
PID 5116 wrote to memory of 1996	5116	csc.exe	cvtres.exe
PID 5116 wrote to memory of 1996	5116	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63ed01a1fc1604963f6cf8c5ba54c071_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1piql6qq.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BA0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4B9F.tmp"
3⤵
PID:1996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1piql6qq.dll

Filesize
9KB

MD5
86bafc5a46f7d6c517b4e2e641780090

SHA1
1a5ebb60039d9f5cb8323956579840ddc6e19050

SHA256
1d788905df7b63d62eb6fe4748732b08a5a34ac599b399cddd21a64d9aaed310

SHA512
b156cf6cfcddec3cb9851615b375d8512e81e1da68af7e9fed9bc1176a3c6fb6c02157927c4aee1c650d9f78aae5c5bf456ebde94161c99a95a73f2edf0f1aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4BA0.tmp

Filesize
1KB

MD5
54818967ebdc0e65f61c9b2b4cc359f0

SHA1
34c2656b2a370d2424a048676d250ee02ecd3704

SHA256
b62488ca5be08c3c208dc351b1042f2d6b004b96541f07a487709feb4ba0d5d3

SHA512
27580ca911ffedb4af0976142cf7ef4f9966de9034c814d189731f660b4cc3084ed17ccaed304f9be2f822996d9dc9e4371cce3bef322bbe16ebc747b61b8ed1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1piql6qq.0.cs

Filesize
14KB

MD5
c4fb86e419db9ac2d51efc1df1d61fc3

SHA1
560bf8c3cb00f3588f01dedf23e8842fa47e05ce

SHA256
a6de7cd5c28a326e268963bab7af44b2720e56385234fae4894e6d838215a4b3

SHA512
5a1fa5b14fed22a219a2682bfe5e51d7e93e181002088486a0b11733b95189751b1fbd2e1e12f6d6a8349d3036e391d557159f0adba11077c23ac69b834da267

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1piql6qq.cmdline

Filesize
439B

MD5
98b1120dc04280ec4bfca0eedb83a8bd

SHA1
8bf9c56529fc8957d73a391c8e5461a716e2f5b4

SHA256
0e56434276e5e92c4c78e92080831d8ed96bf4371fb03e0bb08cb71f03e54bc9

SHA512
ae910c38fce7b9e99d53ac0e2460e30ed85886b3cedbda2de96278ad239a88461f2740a2386f46416089a44a354acb1c0e3ed4cb4aac58e73e17c683598df357

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4B9F.tmp

Filesize
652B

MD5
db986286d8e92ca4b84915d1a040c6ec

SHA1
da77ab2613f19294f8da4e4d9689d5ef1b4e6a12

SHA256
4479aec29ff43c6a9717277e8bc46c6dd3ac71993ced7217f4f8700560df01ac

SHA512
95fe2dc071ba4569181d06a18c0654b10ee963c7b611edabfb1d1d3eeac4645ebbe9330e24bb18fc83412a59c946657e4210cbf29af8a246b4ee4fffe3aacd75

Download Submit
memory/3972-0-0x00007FF8DC355000-0x00007FF8DC356000-memory.dmp

Filesize
4KB

Download
memory/3972-1-0x00007FF8DC0A0000-0x00007FF8DCA41000-memory.dmp

Filesize
9.6MB

Download
memory/3972-2-0x00007FF8DC0A0000-0x00007FF8DCA41000-memory.dmp

Filesize
9.6MB

Download
memory/3972-19-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/3972-22-0x00007FF8DC0A0000-0x00007FF8DCA41000-memory.dmp

Filesize
9.6MB

Download
memory/5116-12-0x00007FF8DC0A0000-0x00007FF8DCA41000-memory.dmp

Filesize
9.6MB

Download
memory/5116-17-0x00007FF8DC0A0000-0x00007FF8DCA41000-memory.dmp

Filesize
9.6MB

Download