979da5ca358f9413150cfb33400da1fe5a736a10419c6a06daf9ada90749d9e3

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 02:27

Target

0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe
Size

746KB
MD5

0209f3d359bc4fc9c7ae1c170e722024
SHA1

d81eb87d4682a3e382d1b91829d927139d963677
SHA256

979da5ca358f9413150cfb33400da1fe5a736a10419c6a06daf9ada90749d9e3
SHA512

08526813a641ba8c4fbd9c71c465a64e483cbc105d83f916d2892f9d8d7e364f50254f2883594dd84dc7e586c4086b0d3e9a5df9d244b18bee5108ae7ad05d39
SSDEEP

12288:GRy8S+2U4u/n/80dW5A0zyR6JwQ5oAlK+GIqv5TIkAbQQ52LYRg08y5rfRZB0:yBEU4ufxdW5A2FJr/kWqvZIkA33DL

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1948	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2356	wxinx.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.BAT	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe
File created	C:\Windows\wxinx.exe	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe
File opened for modification	C:\Windows\wxinx.exe	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe
Token: SeDebugPrivilege	2356	wxinx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2356	wxinx.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2208	2356	wxinx.exe	29
PID 2356 wrote to memory of 2208	2356	wxinx.exe	29
PID 2356 wrote to memory of 2208	2356	wxinx.exe	29
PID 2356 wrote to memory of 2208	2356	wxinx.exe	29
PID 2284 wrote to memory of 1948	2284	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1948	2284	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1948	2284	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1948	2284	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1948	2284	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1948	2284	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe	30
PID 2284 wrote to memory of 1948	2284	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.BAT
  2⤵
  - Deletes itself
  PID:1948

C:\Windows\wxinx.exe
C:\Windows\wxinx.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2208

C:\Windows\uninstal.BAT

Filesize
218B

MD5
e1354d383c2d161b0f213dfbca1c1c66

SHA1
3cf35e094467f4ba5308057a861c68d4c8a1b736

SHA256
d9d8135f311829da3ace5ef78a6cd937a7ca9d75762bd08615b1ddc35b5e4b11

SHA512
1ee3e7d8d28535315c992d5b2761d6b51a675132a28b123a045bc785e54be3e1abc459bda95b4cd52a9e4bd163bb227792ec53e85a781f8964ae9ab77ff70532

Download Submit
C:\Windows\wxinx.exe

Filesize
746KB

MD5
0209f3d359bc4fc9c7ae1c170e722024

SHA1
d81eb87d4682a3e382d1b91829d927139d963677

SHA256
979da5ca358f9413150cfb33400da1fe5a736a10419c6a06daf9ada90749d9e3

SHA512
08526813a641ba8c4fbd9c71c465a64e483cbc105d83f916d2892f9d8d7e364f50254f2883594dd84dc7e586c4086b0d3e9a5df9d244b18bee5108ae7ad05d39

Download Submit
memory/2284-0-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2284-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2356-4-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2356-15-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2356-17-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download