13a92d3b2f6096c64ee4e49a6d009cf2a3a132054b8b8074c3a436ecf649066a

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 19:29

Target

0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe
Size

813KB
MD5

0f40cc0b912b48e0953bcf6d4a01df3f
SHA1

81b30d6b2729eed248ae6d0706c73e204a2dd282
SHA256

13a92d3b2f6096c64ee4e49a6d009cf2a3a132054b8b8074c3a436ecf649066a
SHA512

dc96e3ef0cbf5886b9eef9341762a2df66caf1ab4bfcfff5eed646bc0ea63cf047d714b791c183bf160d84f446a9fff7657ce05a207685ed40f973efd691a1a3
SSDEEP

12288:KtnhnNgkFyzzVKX1xEYAxJBb3YylvUakAJPglWmxAxtw++MTHti10Uf5:oFNF8AFCYEZkYglWjNHtiKU

Score

7^/10

Deletes itself 1 IoCs

pid	Process
452	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4740	usеrinit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3936 set thread context of 452	3936	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe	81

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}\u = "131074"	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe
Key created	\registry\machine\Software\Classes\WOW6432Node\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}\u = "131074"	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe
Key created	\registry\machine\Software\Classes\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4740	usеrinit.exe
4740	usеrinit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe
Token: SeSecurityPrivilege	3936	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe
Token: SeDebugPrivilege	4740	usеrinit.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 452	3936	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe	81
PID 3936 wrote to memory of 452	3936	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe	81
PID 3936 wrote to memory of 452	3936	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe	81
PID 3936 wrote to memory of 452	3936	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe	81
PID 3936 wrote to memory of 4740	3936	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe	83
PID 3936 wrote to memory of 4740	3936	0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f40cc0b912b48e0953bcf6d4a01df3f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:452
- \??\globalroot\systemroot\system32\usеrinit.exe
  /install
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740

C:\Windows\System32\usеrinit.exe

Filesize
139KB

MD5
4acd14244d2cd76d06939163127cfb10

SHA1
75f3e3c764f7d20c9950f5410f753f3210bcc2e7

SHA256
29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb

SHA512
001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

Download Submit
\systemroot\system32\mseeeeee.dll

Filesize
717KB

MD5
98438a7e4854d18878685194e25964a0

SHA1
e9a711ca489e0eb92e51a7f7a86da61c99a3e108

SHA256
6aa246e778a51bf461dc6a121435e4cba63cd0ab49a43a2f32ee560839000564

SHA512
0dca63be52fdf86c92c89314020c04bbc76ff24789a765cb9b42105952b622b4c32f81bca880319ca3ba47eefa0f7a7b5d72d42f061b964066b077db1dcf8268

Download Submit
memory/3936-1-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3936-2-0x0000000000400000-0x00000000004CCE00-memory.dmp

Filesize
819KB

Download