64fa579a0e5958683ab6a0d81f4c48b640d0030b76b56aad1139432f40231d94

General

Target

0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe
Size

61KB
MD5

0d2c07ce5f10a574f48dc2c7fcd68de5
SHA1

8e2d4a3095234065692ce76496b631f52d239a32
SHA256

64fa579a0e5958683ab6a0d81f4c48b640d0030b76b56aad1139432f40231d94
SHA512

826dfbd267f70172d95bc61f304c16b573364c9af82ec781614015c5bea650cc3a289494d32e00148174cea06508628a5c102bb0b4454f9202b584755407aed8
SSDEEP

1536:cZZ9s1rA3FmPl4wK+a7SMqRPdbwK8aAAT3bPjb3Ltn+S2KeiWamt/H/oFI8UpJf6:K9sVA3FmPl4wK+a7SMqRPdbwK8aAAT3f

Score

8^/10

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\beep.sys	0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	3eyes.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	3eyes.exe

Loads dropped DLL 3 IoCs

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\3eyes.dll	0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3eyes.dll	0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\3eyes.dat	3eyes.exe
File created	C:\Windows\SysWOW64\3eyes.exe	3eyes.exe
File opened for modification	C:\Windows\SysWOW64\3eyes.exe	3eyes.exe
File opened for modification	C:\Windows\SysWOW64\3eyes.dll	3eyes.exe
File created	C:\Windows\SysWOW64\3eyes.exe	0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3eyes.exe	0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2660	2124	WerFault.exe	28

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1284	0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2124	3eyes.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2948	1284	0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe	29
PID 1284 wrote to memory of 2948	1284	0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe	29
PID 1284 wrote to memory of 2948	1284	0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe	29
PID 1284 wrote to memory of 2948	1284	0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe	29
PID 2124 wrote to memory of 2660	2124	3eyes.exe	30
PID 2124 wrote to memory of 2660	2124	3eyes.exe	30
PID 2124 wrote to memory of 2660	2124	3eyes.exe	30
PID 2124 wrote to memory of 2660	2124	3eyes.exe	30
PID 2124 wrote to memory of 2692	2124	3eyes.exe	31
PID 2124 wrote to memory of 2692	2124	3eyes.exe	31
PID 2124 wrote to memory of 2692	2124	3eyes.exe	31
PID 2124 wrote to memory of 2692	2124	3eyes.exe	31

C:\Users\Admin\AppData\Local\Temp\0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d2c07ce5f10a574f48dc2c7fcd68de5_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0D2C07~1.EXE > nul
  2⤵
  PID:2948

C:\Windows\SysWOW64\3eyes.exe
C:\Windows\SysWOW64\3eyes.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 164
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\3eyes.exe > nul
  2⤵
  PID:2692

C:\Users\Admin\AppData\Local\Temp\18019.dat

Filesize
220B

MD5
05c6807d7eb27bdce239b75aa539ebe8

SHA1
2e0ea00e6fe0bd338a0eb17c785d179692937bfb

SHA256
41238fbc28c75ded69473b489428d8383ad65a5760b2e2a8cbb7d8972ac6676a

SHA512
fabda8b94cda2948615c88b0fb68fb6b9c59cf758b4ecfcf8399244cee032a2b7108ac2140a9ea7c7c9030b119ff37211e433a126b43b6af8c17edb80cbc37ab

Download Submit
C:\Windows\SysWOW64\3eyes.dll

Filesize
45KB

MD5
cc5ec63c9a72d67c82a0dfbb3d45b63e

SHA1
ac595a56a44bb5c71441b91ce8ee301216d6fcce

SHA256
5ab7906a8e036d7945c93d7f60ac2e3a33f679d7032621d7dcdd2926489fb1bc

SHA512
2785fafaf87e948fb16b30f64b78e1f597b02052700dc973658b354efcf922b471617249aff865eb13f235608646937be18b1c0c44d6fc8ef8467aea1b2ab345

Download Submit
C:\Windows\SysWOW64\3eyes.exe

Filesize
61KB

MD5
0d2c07ce5f10a574f48dc2c7fcd68de5

SHA1
8e2d4a3095234065692ce76496b631f52d239a32

SHA256
64fa579a0e5958683ab6a0d81f4c48b640d0030b76b56aad1139432f40231d94

SHA512
826dfbd267f70172d95bc61f304c16b573364c9af82ec781614015c5bea650cc3a289494d32e00148174cea06508628a5c102bb0b4454f9202b584755407aed8

Download Submit
C:\Windows\SysWOW64\drivers\beep.sys

Filesize
3KB

MD5
3ebdb873a18aecc8d4b6c3b39002c0ea

SHA1
c465747641c9cff0faeaba8fca5558a459545bfd

SHA256
c87d8835a362be5f4e8506afb7be753cb562a7a950417df0ec7e781a0ba846bd

SHA512
77b955e6988ec1df46298505b8a2c68aaa86ccc5f7df0a66694e737ebe64326ab0ed788b156c280e207241c1815ffc16e6d1ed3e2cbf5a8a9c5cb7d990da2189

Download Submit