efca3e636f776daf22d700ef34b689dc452d11595af613442e06da50207e20ee

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Size

403KB
MD5

085453ff8d4bd3c83884ed306962a2c1
SHA1

14d2715f8ef9c5b4fe8b44603fa4275e1d0fbbe7
SHA256

efca3e636f776daf22d700ef34b689dc452d11595af613442e06da50207e20ee
SHA512

1d46c4869f3a0360609b0261ee9f330adf8d8e412d186ae21028fc5a822117da106cd649250c579b292bdd7a4c5669ee11dfde30680be5c2bce91dda9bea1b2a
SSDEEP

6144:+1lxqVi78oy7v1vvGptQZy0CDRHBcv9Pg2hXTCkgrgJGZnqkBSCjn0:487vhAJtDQ9zJCkRoqASCjn0

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	344	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2412	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2660	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2612	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2792	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2640	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2292	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1908	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	304	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1612	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1536	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	980	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1348	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1636	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2844	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2296	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1856	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1132	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1544	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1608	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1300	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
Token: SeDebugPrivilege	1776	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 344	2240	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	28
PID 2240 wrote to memory of 344	2240	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	28
PID 2240 wrote to memory of 344	2240	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	28
PID 344 wrote to memory of 2412	344	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	29
PID 344 wrote to memory of 2412	344	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	29
PID 344 wrote to memory of 2412	344	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2660	2412	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2660	2412	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2660	2412	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2612	2660	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	31
PID 2660 wrote to memory of 2612	2660	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	31
PID 2660 wrote to memory of 2612	2660	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	31
PID 2612 wrote to memory of 2792	2612	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	32
PID 2612 wrote to memory of 2792	2612	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	32
PID 2612 wrote to memory of 2792	2612	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2640	2792	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2640	2792	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2640	2792	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2292	2640	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	36
PID 2640 wrote to memory of 2292	2640	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	36
PID 2640 wrote to memory of 2292	2640	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	36
PID 2292 wrote to memory of 1908	2292	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	37
PID 2292 wrote to memory of 1908	2292	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	37
PID 2292 wrote to memory of 1908	2292	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	37
PID 1908 wrote to memory of 304	1908	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	38
PID 1908 wrote to memory of 304	1908	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	38
PID 1908 wrote to memory of 304	1908	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	38
PID 304 wrote to memory of 1612	304	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	39
PID 304 wrote to memory of 1612	304	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	39
PID 304 wrote to memory of 1612	304	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	39
PID 1612 wrote to memory of 1536	1612	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	40
PID 1612 wrote to memory of 1536	1612	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	40
PID 1612 wrote to memory of 1536	1612	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	40
PID 1536 wrote to memory of 980	1536	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	41
PID 1536 wrote to memory of 980	1536	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	41
PID 1536 wrote to memory of 980	1536	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	41
PID 980 wrote to memory of 1348	980	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	42
PID 980 wrote to memory of 1348	980	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	42
PID 980 wrote to memory of 1348	980	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	42
PID 1348 wrote to memory of 1636	1348	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	43
PID 1348 wrote to memory of 1636	1348	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	43
PID 1348 wrote to memory of 1636	1348	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	43
PID 1636 wrote to memory of 2844	1636	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	44
PID 1636 wrote to memory of 2844	1636	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	44
PID 1636 wrote to memory of 2844	1636	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	44
PID 2844 wrote to memory of 2296	2844	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	45
PID 2844 wrote to memory of 2296	2844	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	45
PID 2844 wrote to memory of 2296	2844	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	45
PID 2296 wrote to memory of 1856	2296	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	46
PID 2296 wrote to memory of 1856	2296	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	46
PID 2296 wrote to memory of 1856	2296	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1132	1856	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	47
PID 1856 wrote to memory of 1132	1856	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	47
PID 1856 wrote to memory of 1132	1856	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	47
PID 1132 wrote to memory of 1544	1132	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	48
PID 1132 wrote to memory of 1544	1132	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	48
PID 1132 wrote to memory of 1544	1132	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	48
PID 1544 wrote to memory of 1608	1544	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	49
PID 1544 wrote to memory of 1608	1544	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	49
PID 1544 wrote to memory of 1608	1544	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	49
PID 1608 wrote to memory of 1300	1608	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	50
PID 1608 wrote to memory of 1300	1608	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	50
PID 1608 wrote to memory of 1300	1608	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	50
PID 1300 wrote to memory of 1776	1300	085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe	51

C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        8⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        10⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        12⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        13⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        14⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        15⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        16⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        17⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        18⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        19⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        20⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        21⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        22⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\085453ff8d4bd3c83884ed306962a2c1_JaffaCakes118.exe
        24⤵
        
        PID:348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-4-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/344-5-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/344-7-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/344-8-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2240-0-0x000007FEF57EE000-0x000007FEF57EF000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2240-2-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2240-3-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2240-6-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads