36a4251b94d63145e3c99aa6ede2ffa727bd78c5ff83255b0928b7c0c934ce61

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 13:00

Target

063862283efc1a22008008cb542301a6_JaffaCakes118.exe
Size

349KB
MD5

063862283efc1a22008008cb542301a6
SHA1

ae57f6c8436f461f8a2711f0268db6d54203d2d9
SHA256

36a4251b94d63145e3c99aa6ede2ffa727bd78c5ff83255b0928b7c0c934ce61
SHA512

2f17708d074b8e6557b973a44d7a0d453330a04a01222a7e1dbe171fdca928b30ee76151201ae16550049a04134b9155517dbae540d94173aeabe08b49ef14c2
SSDEEP

6144:oOavk2p1sc2oNQlTlbm2AKnkB1/GB2FuO1D0Z4LGyvBcG4+hZCPCny2rWt+e2DH+:otk2pKhoWTl5JkB1m2Fu1Z4L34+hZCPu

Score

7^/10

Deletes itself 1 IoCs

pid	Process
5080	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2392	X

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4040 set thread context of 5080	4040	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	87

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2392	X
2392	X

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4040	063862283efc1a22008008cb542301a6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 2392	4040	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	81
PID 4040 wrote to memory of 2392	4040	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	81
PID 2392 wrote to memory of 1608	2392	X	82
PID 2392 wrote to memory of 1608	2392	X	82
PID 2392 wrote to memory of 1608	2392	X	82
PID 4040 wrote to memory of 5080	4040	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	87
PID 4040 wrote to memory of 5080	4040	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	87
PID 4040 wrote to memory of 5080	4040	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	87
PID 4040 wrote to memory of 5080	4040	063862283efc1a22008008cb542301a6_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\063862283efc1a22008008cb542301a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\063862283efc1a22008008cb542301a6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Users\Admin\AppData\Local\6f42fddf\X
  176.53.17.23:80
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Modifies registry class
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:5080

C:\Users\Admin\AppData\Local\6f42fddf\X

Filesize
41KB

MD5
be40a2578e862f1cecc9b9194f524201

SHA1
0c379f375f9bcfab2e8d86161cec07fe4a7dbc12

SHA256
2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6

SHA512
25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8

Download Submit
memory/1608-8-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/4040-2-0x0000000000400000-0x0000000000468E6C-memory.dmp

Filesize
419KB

Download
memory/4040-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4040-9-0x0000000000400000-0x0000000000468E6C-memory.dmp

Filesize
419KB

Download
memory/4040-10-0x0000000000400000-0x0000000000468E6C-memory.dmp

Filesize
419KB

Download
memory/4040-11-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download