f8905928f3d13b1a9ebfe9564dcb1980b8448c90a2622a173cde73ff4b3d7d1f

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 10:52

Target

081792323bbfcd1bd02887ab18003713_JaffaCakes118.exe
Size

1.1MB
MD5

081792323bbfcd1bd02887ab18003713
SHA1

da2e378185a87792a95bf0db1b64fe9c971fd957
SHA256

f8905928f3d13b1a9ebfe9564dcb1980b8448c90a2622a173cde73ff4b3d7d1f
SHA512

5827ce4f01378bb767cbc0839bce5bd3111fca68da47404f0ac8e29007a31cdb3bf6f9bf268cb6ab1897d5d1b61eff93dae109901d302d562956fe97ac33de05
SSDEEP

24576:UxnU4gf2EW5A2JJr1k3hJvOIk6LXslddU98Pm31Ar:US43Jp1eljslnDPm3

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1564	msinfo32.ini

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1564 set thread context of 1104	1564	msinfo32.ini	86

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.ini	081792323bbfcd1bd02887ab18003713_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.ini	081792323bbfcd1bd02887ab18003713_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1196	1104	WerFault.exe	86

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	452	081792323bbfcd1bd02887ab18003713_JaffaCakes118.exe
Token: SeDebugPrivilege	1564	msinfo32.ini

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4592	452	081792323bbfcd1bd02887ab18003713_JaffaCakes118.exe	81
PID 452 wrote to memory of 4592	452	081792323bbfcd1bd02887ab18003713_JaffaCakes118.exe	81
PID 452 wrote to memory of 4592	452	081792323bbfcd1bd02887ab18003713_JaffaCakes118.exe	81
PID 1564 wrote to memory of 4020	1564	msinfo32.ini	84
PID 1564 wrote to memory of 4020	1564	msinfo32.ini	84
PID 1564 wrote to memory of 4020	1564	msinfo32.ini	84
PID 1564 wrote to memory of 1104	1564	msinfo32.ini	86
PID 1564 wrote to memory of 1104	1564	msinfo32.ini	86
PID 1564 wrote to memory of 1104	1564	msinfo32.ini	86
PID 1564 wrote to memory of 1104	1564	msinfo32.ini	86
PID 1564 wrote to memory of 1104	1564	msinfo32.ini	86

C:\Users\Admin\AppData\Local\Temp\081792323bbfcd1bd02887ab18003713_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\081792323bbfcd1bd02887ab18003713_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c set date=%date% &&date 2006-8-8 &&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&date %date%
  2⤵
  PID:4592

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.ini
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.ini"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c set date=%date% &&date 2006-8-8 &&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&date %date%
  2⤵
  PID:4020
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 12
    3⤵
    - Program crash
    PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1104 -ip 1104
1⤵
PID:2372

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.ini

Filesize
1.1MB

MD5
081792323bbfcd1bd02887ab18003713

SHA1
da2e378185a87792a95bf0db1b64fe9c971fd957

SHA256
f8905928f3d13b1a9ebfe9564dcb1980b8448c90a2622a173cde73ff4b3d7d1f

SHA512
5827ce4f01378bb767cbc0839bce5bd3111fca68da47404f0ac8e29007a31cdb3bf6f9bf268cb6ab1897d5d1b61eff93dae109901d302d562956fe97ac33de05

Download Submit
memory/452-0-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/452-1-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/452-9-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/1564-6-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/1564-7-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1564-10-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download