8fd13523e0e7195a75935cea7669668960008c17d11298566faf9c5e29ae1ffe

Analysis

max time kernel
141s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 15:45

Target

169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Size

152KB
MD5

169362e44d8310794880ff8ac4bbc8f6
SHA1

dd03bd3d21ee937cdfa3b56f78bb17e987fb36cd
SHA256

8fd13523e0e7195a75935cea7669668960008c17d11298566faf9c5e29ae1ffe
SHA512

3a2d94f289f691bd2c7c026a2577465a98902dfc02ac939970e37ded476b4dcb31d4288785f2245bd36699079e5b4cf2222423d44da7a157d950d3a90333dd20
SSDEEP

3072:lNrnRPuVZ3Cn5OEU1ahfqPtDHqmHx9JSTnTAcH4n3QeN0Z:jrRPuVJrIhfqVrjxzankcH43E

Score

5^/10

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\xmlprov.dll	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xmlprov.dll	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xmlprov.dll	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wi240594812nd.temp	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
File created	C:\Windows\ServicePackFiles\i386\xmlprov.dll	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeDebugPrivilege	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 4124	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe	83
PID 2560 wrote to memory of 4124	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe	83
PID 2560 wrote to memory of 4124	2560	169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\169362e44d8310794880ff8ac4bbc8f6_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\169362~1.EXE > nul
  2⤵
  PID:4124

C:\Program Files\Internet Explorer\file.tmp

Filesize
10.1MB

MD5
56c16225e160c9fd31409d85f54e0826

SHA1
9e63ab670bba9fe008f3d0cedad624edc24937d0

SHA256
7bf4107dab62a37c7cc7e80cf44435355bfa661e9ffe001ac17584bc76a03205

SHA512
e4a4a31b1486f04433b7d500c0b2c7cdbf1d30e1a3bc8f424739ed79460860a628d05f5c552cf306274a79544fa0432938089d60a73230b28febdb02c3525fc4

Download Submit
memory/2560-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2560-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download