mimikatz | b5a89b46a5f0acdce50d07bd85a307091c1b3c5bdeb9c39f6f388a259234d920

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 22:50

Target

92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe
Size

902KB
MD5

92e0c3b3febfef64a1a41824dda328ca
SHA1

ff8818aa1e1196aa3e10f763bbcc4a9c8ed7e96c
SHA256

b5a89b46a5f0acdce50d07bd85a307091c1b3c5bdeb9c39f6f388a259234d920
SHA512

e26ee1694b84533f415ac6aec59c66b245062b4910e1bd3da0ab21c388c29ec1f57cadeeadbb9d45c15093d919e818a1c1e9ca15de619198819141ba889b6377
SSDEEP

24576:rPSvI8SNSAAhCUEDA2xvMZj5Z/0ePFUZ5f3pMXYTaAg9xPLl:DSCjNUEoB//zPFUZ5f3pMXYTaNVh

Score

10^/10

mimikatz

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 8 IoCs

resource	yara_rule
behavioral1/memory/1696-29-0x0000000140000000-0x00000001400D1000-memory.dmp	mimikatz
behavioral1/memory/1696-27-0x0000000140000000-0x00000001400D1000-memory.dmp	mimikatz
behavioral1/memory/1696-25-0x0000000140000000-0x00000001400D1000-memory.dmp	mimikatz
behavioral1/memory/1696-22-0x0000000140000000-0x00000001400D1000-memory.dmp	mimikatz
behavioral1/memory/1696-19-0x0000000140000000-0x00000001400D1000-memory.dmp	mimikatz
behavioral1/memory/1696-14-0x0000000140000000-0x00000001400D1000-memory.dmp	mimikatz
behavioral1/memory/1696-20-0x0000000140000000-0x00000001400D1000-memory.dmp	mimikatz
behavioral1/memory/1696-16-0x0000000140000000-0x00000001400D1000-memory.dmp	mimikatz

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1696	1908	92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\92e0c3b3febfef64a1a41824dda328ca_JaffaCakes118.exe"
  2⤵
  PID:1696

memory/1696-29-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-27-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-25-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-22-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-19-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-14-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-10-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-8-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-30-0x0000000140001000-0x0000000140050000-memory.dmp

Filesize
316KB

Download
memory/1696-6-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-24-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/1696-20-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-16-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-12-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1696-4-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1908-3-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download