8fd13523e0e7195a75935cea7669668960008c17d11298566faf9c5e29ae1ffe

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 15:45

Target

169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Size

152KB
MD5

169362e44d8310794880ff8ac4bbc8f6
SHA1

dd03bd3d21ee937cdfa3b56f78bb17e987fb36cd
SHA256

8fd13523e0e7195a75935cea7669668960008c17d11298566faf9c5e29ae1ffe
SHA512

3a2d94f289f691bd2c7c026a2577465a98902dfc02ac939970e37ded476b4dcb31d4288785f2245bd36699079e5b4cf2222423d44da7a157d950d3a90333dd20
SSDEEP

3072:lNrnRPuVZ3Cn5OEU1ahfqPtDHqmHx9JSTnTAcH4n3QeN0Z:jrRPuVJrIhfqVrjxzankcH43E

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\xmlprov.dll	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xmlprov.dll	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xmlprov.dll	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wi259396450nd.temp	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
File created	C:\Windows\ServicePackFiles\i386\xmlprov.dll	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2644	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2644	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2644	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2644	3012	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\169362~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2644

C:\Program Files\Internet Explorer\file.tmp

Filesize
10.1MB

MD5
76e0903b31756296eab34be5151d6b60

SHA1
92d9be193174944c9195b471648206f492765ac9

SHA256
e66d15943e8f0028bb37630a18e0c67b5cb96a28a74f6745702265f807c491c8

SHA512
c5c8852e131e203d8acf8631c14e4114b7af896f1efff34383ae025da40e77cb57394f8e438ca59b08cd17609b4949c4a8301a1fccf89324beccfb5d7f54376a

Download Submit
memory/3012-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3012-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download