7fa1e3e27a20a7c26979f4c76be7461846434d0031a10c913995fcdcd2dde761

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 02:56

Target

02377a2e9c80a39c470cf66c7bbd8f93_JaffaCakes118.exe
Size

715KB
MD5

02377a2e9c80a39c470cf66c7bbd8f93
SHA1

94e65a76eebe3d70a4f4b76779d811ee0c1f797e
SHA256

7fa1e3e27a20a7c26979f4c76be7461846434d0031a10c913995fcdcd2dde761
SHA512

f24e90a23faeacea232cbd352614809d2112e63f96533a02e5b784f312e07d5f802944aa8768a6acc7ba8c96c7dd30d5c5db64738b46bafe958e88d6d208047a
SSDEEP

12288:QRkTSklU4g/n/t0EW5A0zypvJwQ5oAlK+G9svnbIk6kQQ52L8Rg08b5sZ6tPn:UUlU4gf2EW5A20Jr/kHsvbIk6OeD5

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
544	Hacker.com.cn.exe

Loads dropped DLL 4 IoCs

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 544 set thread context of 3056	544	Hacker.com.cn.exe	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	02377a2e9c80a39c470cf66c7bbd8f93_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	02377a2e9c80a39c470cf66c7bbd8f93_JaffaCakes118.exe
File created	C:\Windows\uninstel.bat	02377a2e9c80a39c470cf66c7bbd8f93_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2288	2980	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	02377a2e9c80a39c470cf66c7bbd8f93_JaffaCakes118.exe
Token: SeDebugPrivilege	544	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 3056	544	Hacker.com.cn.exe	29
PID 544 wrote to memory of 3056	544	Hacker.com.cn.exe	29
PID 544 wrote to memory of 3056	544	Hacker.com.cn.exe	29
PID 544 wrote to memory of 3056	544	Hacker.com.cn.exe	29
PID 544 wrote to memory of 3056	544	Hacker.com.cn.exe	29
PID 544 wrote to memory of 3056	544	Hacker.com.cn.exe	29
PID 2980 wrote to memory of 2288	2980	02377a2e9c80a39c470cf66c7bbd8f93_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2288	2980	02377a2e9c80a39c470cf66c7bbd8f93_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2288	2980	02377a2e9c80a39c470cf66c7bbd8f93_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2288	2980	02377a2e9c80a39c470cf66c7bbd8f93_JaffaCakes118.exe	30

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe................
  2⤵
  PID:3056

C:\Windows\Hacker.com.cn.exe

Filesize
715KB

MD5
02377a2e9c80a39c470cf66c7bbd8f93

SHA1
94e65a76eebe3d70a4f4b76779d811ee0c1f797e

SHA256
7fa1e3e27a20a7c26979f4c76be7461846434d0031a10c913995fcdcd2dde761

SHA512
f24e90a23faeacea232cbd352614809d2112e63f96533a02e5b784f312e07d5f802944aa8768a6acc7ba8c96c7dd30d5c5db64738b46bafe958e88d6d208047a

Download Submit
memory/544-5-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/544-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/544-17-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2980-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2980-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2980-18-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2980-19-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3056-10-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3056-12-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3056-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download