3ddcdf2d0e1afa87ca2b55d96775691cd33a31bd84543ee1081488bd7f99eed9

Analysis

max time kernel
141s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
Size

20KB
MD5

0e164845833decea7bcf5ea7ff3f68de
SHA1

84cde72064677e0e76eba4ee3e040244b1197cd9
SHA256

3ddcdf2d0e1afa87ca2b55d96775691cd33a31bd84543ee1081488bd7f99eed9
SHA512

1befd80db6ecd968b84cdef3a6f919ae79a2209da8c3a6bfa6a2f0bb939871b7695cce2af3023c9445aab071ca372631255a0da13ec654c61234b282a5f995a4
SSDEEP

384:PU398UjtZC+tBagAlugVRyuOS3E8/kWzfzwdH2zS7EY6U0Qtd:q91vMlugVTBESTzwozkEY6U5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3740	Sysmsge.exe

Loads dropped DLL 1 IoCs

pid	Process
3740	Sysmsge.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysmon.dll	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sysmsge.exe	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3924	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3924	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
3924	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
3740	Sysmsge.exe
3740	Sysmsge.exe
3740	Sysmsge.exe
3740	Sysmsge.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 3740	3924	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe	82
PID 3924 wrote to memory of 3740	3924	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe	82
PID 3924 wrote to memory of 3740	3924	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe	82
PID 3924 wrote to memory of 2624	3924	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe	83
PID 3924 wrote to memory of 2624	3924	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe	83
PID 3924 wrote to memory of 2624	3924	0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\Sysmsge.exe
  "C:\Windows\system32\Sysmsge.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0E1648~1.EXE > nul
  2⤵
  PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SYSMON.DLL

Filesize
36KB

MD5
a454d8e984fa9dee17d92b7cd0ddc557

SHA1
1a0836cd4538bcaae05968430c9a401b07b8ad7e

SHA256
15f83d14eaa7ffeedf1d251f7e84c2668245278f71d4a3deab5a16afb43a7731

SHA512
27d62aff81f6159b466a9dbd31bfae8cceb00d1d540a1340fe2bed73d2c2bf62dc354a17fe876c615ebf8cb953ef212a0186299cf38d0c6cdc1d58951c55f41f

Download Submit
C:\Windows\SysWOW64\Sysmsge.exe

Filesize
20KB

MD5
07bc73c1bd4b6658cef9130603b62569

SHA1
79270b1d53542a33da395b5c91d8850ae7c99928

SHA256
88005a77b27e7a685381adca91b577e5678f40dfdce66c45cb1a8b5ba2068e56

SHA512
56c12c1a3c51f673bd9785cd0e667aa6316043d9ebfcf7b760f6b82b538219a796a82f2aa57f74075410e33618d88bb5bc8144e0a743de03324e14ee3e6f467b

Download Submit
memory/3740-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3740-10-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3740-12-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3740-11-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3740-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3740-15-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3740-14-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3924-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3924-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download