979da5ca358f9413150cfb33400da1fe5a736a10419c6a06daf9ada90749d9e3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 02:27

Target

0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe
Size

746KB
MD5

0209f3d359bc4fc9c7ae1c170e722024
SHA1

d81eb87d4682a3e382d1b91829d927139d963677
SHA256

979da5ca358f9413150cfb33400da1fe5a736a10419c6a06daf9ada90749d9e3
SHA512

08526813a641ba8c4fbd9c71c465a64e483cbc105d83f916d2892f9d8d7e364f50254f2883594dd84dc7e586c4086b0d3e9a5df9d244b18bee5108ae7ad05d39
SSDEEP

12288:GRy8S+2U4u/n/80dW5A0zyR6JwQ5oAlK+GIqv5TIkAbQQ52LYRg08y5rfRZB0:yBEU4ufxdW5A2FJr/kWqvZIkA33DL

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3560	wxinx.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wxinx.exe	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe
File created	C:\Windows\uninstal.BAT	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe
File created	C:\Windows\wxinx.exe	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe
Token: SeDebugPrivilege	3560	wxinx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3560	wxinx.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 2732	3560	wxinx.exe	86
PID 3560 wrote to memory of 2732	3560	wxinx.exe	86
PID 1004 wrote to memory of 5088	1004	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe	89
PID 1004 wrote to memory of 5088	1004	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe	89
PID 1004 wrote to memory of 5088	1004	0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0209f3d359bc4fc9c7ae1c170e722024_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.BAT
  2⤵
  PID:5088

C:\Windows\wxinx.exe
C:\Windows\wxinx.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2732

C:\Windows\uninstal.BAT

Filesize
218B

MD5
e1354d383c2d161b0f213dfbca1c1c66

SHA1
3cf35e094467f4ba5308057a861c68d4c8a1b736

SHA256
d9d8135f311829da3ace5ef78a6cd937a7ca9d75762bd08615b1ddc35b5e4b11

SHA512
1ee3e7d8d28535315c992d5b2761d6b51a675132a28b123a045bc785e54be3e1abc459bda95b4cd52a9e4bd163bb227792ec53e85a781f8964ae9ab77ff70532

Download Submit
C:\Windows\wxinx.exe

Filesize
746KB

MD5
0209f3d359bc4fc9c7ae1c170e722024

SHA1
d81eb87d4682a3e382d1b91829d927139d963677

SHA256
979da5ca358f9413150cfb33400da1fe5a736a10419c6a06daf9ada90749d9e3

SHA512
08526813a641ba8c4fbd9c71c465a64e483cbc105d83f916d2892f9d8d7e364f50254f2883594dd84dc7e586c4086b0d3e9a5df9d244b18bee5108ae7ad05d39

Download Submit
memory/1004-2-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1004-8-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3560-5-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/3560-10-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3560-12-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download