725deb1097ce51b0051423a7744f5c9c9725d735922b9163df3820938ab711d8

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 15:47

Target

076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe
Size

458KB
MD5

076e92a51ed399ba6da364a546bfab4c
SHA1

6001ed4a3bbf595ed7fca7ef474b623992d01088
SHA256

725deb1097ce51b0051423a7744f5c9c9725d735922b9163df3820938ab711d8
SHA512

ac7cc34e3d1ac95609916d589c16bac66e2bc745c8973f96899299a32579cf3f0045867102adb50035beacfff2f038ce77388c836ea9cf795875001e92771123
SSDEEP

12288:lfCS4fa6d/iG+21/9ay8DPuWMl6HZtvm3:ZlTL2ey8DGp++3

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1012	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe
Token: SeDebugPrivilege	1012	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1012	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 5100	1012	Hacker.com.cn.exe	86
PID 1012 wrote to memory of 5100	1012	Hacker.com.cn.exe	86
PID 556 wrote to memory of 3940	556	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe	87
PID 556 wrote to memory of 3940	556	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe	87
PID 556 wrote to memory of 3940	556	076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\076e92a51ed399ba6da364a546bfab4c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:3940

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:5100

C:\Windows\Hacker.com.cn.exe

Filesize
458KB

MD5
076e92a51ed399ba6da364a546bfab4c

SHA1
6001ed4a3bbf595ed7fca7ef474b623992d01088

SHA256
725deb1097ce51b0051423a7744f5c9c9725d735922b9163df3820938ab711d8

SHA512
ac7cc34e3d1ac95609916d589c16bac66e2bc745c8973f96899299a32579cf3f0045867102adb50035beacfff2f038ce77388c836ea9cf795875001e92771123

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
978c68f23758d0bc391f0fdf3a1581a0

SHA1
ac7bac3770e8d16cbd01052191a8ac17a67ba34c

SHA256
a54c0886430036dfa4c3386dc07c994da33c24d4413b26200569fa2d42cadb6c

SHA512
3f645f81cc8245f6f930df9cc31f23c838c0a58950a383aa2e2733c88004092fa5f2e2ed3175df067e4cd66280657666a54a532f078211d4b6cdc69bed6a785c

Download Submit
memory/556-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/556-1-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/556-10-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1012-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1012-7-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1012-12-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1012-13-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1012-14-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download