55b06b73627c59a2848429b38c977d37ae643a508cfd41d5e9411dd7df5f2d09

Analysis

max time kernel
141s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 16:27

Target

07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.exe
Size

2.3MB
MD5

07bb7840b9ee70152a9dd1702542027e
SHA1

3d3fed25e5808591d8e6952a80d03172d22f9674
SHA256

55b06b73627c59a2848429b38c977d37ae643a508cfd41d5e9411dd7df5f2d09
SHA512

d8c71a0d9bd50aad99ae065eef1835b0a80b51cc3b46c78f6cdcf0ff300db62d6b60b87378fecbb499c7d87ba3f41a606d5c610ed80eeee2ec26a96f09040d80
SSDEEP

49152:1eT0w2nzFPDvL5Y0gi4l618cVQaOWjFDycR0D2:i8xJgi4EWSDta6

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
760	07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.tmp

Kills process with taskkill 1 IoCs

evasion

pid	Process
3540	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 760	404	07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.exe	89
PID 404 wrote to memory of 760	404	07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.exe	89
PID 404 wrote to memory of 760	404	07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.exe	89
PID 760 wrote to memory of 3240	760	07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.tmp	90
PID 760 wrote to memory of 3240	760	07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.tmp	90
PID 760 wrote to memory of 3240	760	07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.tmp	90
PID 3240 wrote to memory of 3540	3240	cmd.exe	92
PID 3240 wrote to memory of 3540	3240	cmd.exe	92
PID 3240 wrote to memory of 3540	3240	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\is-38A7C.tmp\07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-38A7C.tmp\07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.tmp" /SL5="$70206,2031999,140800,C:\Users\Admin\AppData\Local\Temp\07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c taskkill /f /im chfolder.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chfolder.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1420,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
1⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\is-38A7C.tmp\07bb7840b9ee70152a9dd1702542027e_JaffaCakes118.tmp

Filesize
1.1MB

MD5
023e36346f674e23b5da294a1c003330

SHA1
4561dc3a88e443bea148926cb6e4f8689b415306

SHA256
5f1474b019f5b03e7e3deb0df1c15a8820116895e164785504ccd62fa70aaf50

SHA512
6dece97d3d48927371cabb6e1ca251a216d120043948ff1b19e2e1098636301dbee94759f63ad96dce6d103d27f07a1665c7ac0d020bf6d7d1c6982aae35edc8

Download Submit
memory/404-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/404-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/404-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/760-7-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/760-13-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download