725deb1097ce51b0051423a7744f5c9c9725d735922b9163df3820938ab711d8

Analysis

max time kernel
141s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 15:47

Target

076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe
Size

458KB
MD5

076e92a51ed399ba6da364a546bfab4c
SHA1

6001ed4a3bbf595ed7fca7ef474b623992d01088
SHA256

725deb1097ce51b0051423a7744f5c9c9725d735922b9163df3820938ab711d8
SHA512

ac7cc34e3d1ac95609916d589c16bac66e2bc745c8973f96899299a32579cf3f0045867102adb50035beacfff2f038ce77388c836ea9cf795875001e92771123
SSDEEP

12288:lfCS4fa6d/iG+21/9ay8DPuWMl6HZtvm3:ZlTL2ey8DGp++3

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2504	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe
Token: SeDebugPrivilege	2208	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2208	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1432	2208	Hacker.com.cn.exe	29
PID 2208 wrote to memory of 1432	2208	Hacker.com.cn.exe	29
PID 2208 wrote to memory of 1432	2208	Hacker.com.cn.exe	29
PID 2208 wrote to memory of 1432	2208	Hacker.com.cn.exe	29
PID 2204 wrote to memory of 2504	2204	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2504	2204	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2504	2204	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2504	2204	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2504	2204	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2504	2204	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2504	2204	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2504

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1432

C:\Windows\Hacker.com.cn.exe

Filesize
458KB

MD5
076e92a51ed399ba6da364a546bfab4c

SHA1
6001ed4a3bbf595ed7fca7ef474b623992d01088

SHA256
725deb1097ce51b0051423a7744f5c9c9725d735922b9163df3820938ab711d8

SHA512
ac7cc34e3d1ac95609916d589c16bac66e2bc745c8973f96899299a32579cf3f0045867102adb50035beacfff2f038ce77388c836ea9cf795875001e92771123

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
978c68f23758d0bc391f0fdf3a1581a0

SHA1
ac7bac3770e8d16cbd01052191a8ac17a67ba34c

SHA256
a54c0886430036dfa4c3386dc07c994da33c24d4413b26200569fa2d42cadb6c

SHA512
3f645f81cc8245f6f930df9cc31f23c838c0a58950a383aa2e2733c88004092fa5f2e2ed3175df067e4cd66280657666a54a532f078211d4b6cdc69bed6a785c

Download Submit
memory/2204-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2204-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2204-15-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2208-5-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2208-8-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2208-17-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2208-19-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download