d765f20c523ff29b52f8377b70cf67b459adf1ac1f9ed70bcb72216bc290b8df

Analysis

max time kernel
133s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 11:29

Target

15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe
Size

28KB
MD5

15d5d540eea77975b66adef8546872e0
SHA1

c917c98ea3b3835e6c961bbd92ad4e53d2ee427e
SHA256

d765f20c523ff29b52f8377b70cf67b459adf1ac1f9ed70bcb72216bc290b8df
SHA512

1dfd8cace4e284f0a9d23da4b5be1e2715e123dbd992a7bee891638edc6498185ce8402d95dd91b932f48467d364828aa6bb986470b539e2fa005a797779a391
SSDEEP

768:2/EVIAUUAYFrlVLc/emhX2fCbmz6Sb8ePRD+etr/QL0kdLHNa:xAY1rLc/sgmz5QERCeR/S0kFta

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
4476	ntserver.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntserver.dll	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntserver.exe	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3308	4476	WerFault.exe	89

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3164	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3164	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4476	3164	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe	89
PID 3164 wrote to memory of 4476	3164	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe	89
PID 3164 wrote to memory of 4476	3164	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe	89
PID 3164 wrote to memory of 5012	3164	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe	90
PID 3164 wrote to memory of 5012	3164	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe	90
PID 3164 wrote to memory of 5012	3164	15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15d5d540eea77975b66adef8546872e0_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\SysWOW64\ntserver.exe
  C:\Windows\system32/ntserver.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 276
    3⤵
    - Program crash
    PID:3308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\15D5D5~1.EXE > nul
  2⤵
  PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4476 -ip 4476
1⤵
PID:4828

C:\Windows\SysWOW64\ntserver.exe

Filesize
36KB

MD5
b706db265fd191aba1fc82b4366a6ac0

SHA1
cecc001d5e3eef461910ba62c04fa83307380da1

SHA256
f5452c2c5eb9828204ab9557f534789a5e63ebc85dfb7b0d3be17a925a38f48d

SHA512
d3a70fa71e816cfd69f1709ce02a5582846a8f44ebb146e30ceb59f710f1c4b8723634701ed6cef7adc6739b3310f5a9fb89b0895eb2ca990801384671d71e1d

Download Submit