83643f6f03a61471c548172eea1aeaaf6aecd75d9604424c2c7bcdd491a9e04b

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 14:41

Target

724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
Size

1.3MB
MD5

724c4e4983e766968e9aab850af1c889
SHA1

6b8288b41b454fb8163f8c2cfde6526379c4182e
SHA256

83643f6f03a61471c548172eea1aeaaf6aecd75d9604424c2c7bcdd491a9e04b
SHA512

5fc6b7dc2105e1a208eac2fd9cb777f22d694900e098ee56a8029a9ff418d8035da9ad883d83391be164b51af5b12c1b5b987ad4ffb4002fc2c268abc58b43e7
SSDEEP

24576:GzAreSwJO3Jn4VlFx6edsS0s6gZ4PcLEXVSRzvxtGsiQhG+XdA4N5A:GzArnZJnULsq5uVSRzJ0064c

Score

7^/10

Drops startup file 1 IoCs

Processes:

wscript.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url	wscript.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4104	1176	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1176	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

724c4e4983e766968e9aab850af1c889_JaffaCakes118.execmd.exe

description	pid	Process	procid_target
PID 1176 wrote to memory of 4444	1176	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	97
PID 1176 wrote to memory of 4444	1176	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	97
PID 1176 wrote to memory of 4444	1176	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	97
PID 4444 wrote to memory of 3776	4444	cmd.exe	99
PID 4444 wrote to memory of 3776	4444	cmd.exe	99
PID 4444 wrote to memory of 3776	4444	cmd.exe	99
PID 1176 wrote to memory of 4836	1176	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	101
PID 1176 wrote to memory of 4836	1176	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	101

C:\Users\Admin\AppData\Local\Temp\724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
    3⤵
    - Drops startup file
    PID:3776
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:4836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1004
  2⤵
  - Program crash
  PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1176 -ip 1176
1⤵
PID:4352

C:\ProgramData\GCxcrhlcfj\r.vbs

Filesize
662B

MD5
7cc317139a7d477bc8c5faf0fafed491

SHA1
3966c44cf9988e6cc6af135eac5b7ab93d2c4058

SHA256
c065f76aad68eedaf001ec5142e7bcaaba73916b3903037cc46a54eb67be77a8

SHA512
5e8f3bc963c690f4000349589fe11f08b4efadff7b8d56a9634692ec4fbbbce4330935ee3afbd8542e3c770f68cab4b9949ea7f06c9996e040b42969a7fb7fd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url

Filesize
74B

MD5
059ec62ae3c51a6ff8d0f02363e108e9

SHA1
24742ba20d3323718b0ee51c9efe166825b314a5

SHA256
117b0440b143c36cbe18a6b01f7f0c483a0a67a10600140e545d0c3c61634ac8

SHA512
62dafb2db57840cd0d0886dbe92af3a82f7f82902118a985e6baf81f3f3bc5dc5076d28c3a3ae601a83e7c2c9ee845c030752f36b02f586828bc427284989664

Download Submit
memory/1176-1-0x0000000002050000-0x000000000215E000-memory.dmp

Filesize
1.1MB

Download
memory/1176-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1176-3-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1176-5-0x0000000002050000-0x000000000215E000-memory.dmp

Filesize
1.1MB

Download
memory/1176-6-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1176-18-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1176-19-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download