286ffeb0f700a56deb871afe19ce11967afda098a3e8898452e6039c5a8a1215

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 10:49

Target

19d7bd17b9ebb6180b82d11f88ef6b1f_JaffaCakes118.exe
Size

10KB
MD5

19d7bd17b9ebb6180b82d11f88ef6b1f
SHA1

743e9734a8c9aeace11c587f2a376d6fdf973fb5
SHA256

286ffeb0f700a56deb871afe19ce11967afda098a3e8898452e6039c5a8a1215
SHA512

fad804dd4cb6a82ddbf283395e71d177abcdb4a2662bcdeabb772d97850b5bfd0c6c334f6da1dd850fcc71007c3d2753ea521a99752d6c21c55fb6f2203ce535
SSDEEP

192:TA+wjFvgraEstF2E/YF7YucoguBefcAa4PECHYVgoYFkgUwuvh2:TA+wFoVp/7ZFef9aME1VdYqH2

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2376	r18029.exe

Executes dropped EXE 1 IoCs

pid	Process
2376	r18029.exe

Loads dropped DLL 2 IoCs

pid	Process
2592	19d7bd17b9ebb6180b82d11f88ef6b1f_JaffaCakes118.exe
2376	r18029.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sh18029.add	r18029.exe
File opened for modification	C:\Windows\SysWOW64\csrss.dll	r18029.exe
File created	C:\Windows\SysWOW64\r18029.exe	19d7bd17b9ebb6180b82d11f88ef6b1f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\r18029.exe	19d7bd17b9ebb6180b82d11f88ef6b1f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\csrss.dll	r18029.exe
File created	C:\Windows\SysWOW64\rpcss.dll	r18029.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	r18029.exe
File created	C:\Windows\SysWOW64\sh18029.dll	r18029.exe
File opened for modification	C:\Windows\SysWOW64\sh18029.dll	r18029.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2376	r18029.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	r18029.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2376	2592	19d7bd17b9ebb6180b82d11f88ef6b1f_JaffaCakes118.exe	28
PID 2592 wrote to memory of 2376	2592	19d7bd17b9ebb6180b82d11f88ef6b1f_JaffaCakes118.exe	28
PID 2592 wrote to memory of 2376	2592	19d7bd17b9ebb6180b82d11f88ef6b1f_JaffaCakes118.exe	28
PID 2592 wrote to memory of 2376	2592	19d7bd17b9ebb6180b82d11f88ef6b1f_JaffaCakes118.exe	28
PID 2376 wrote to memory of 1232	2376	r18029.exe	21

C:\Users\Admin\AppData\Local\Temp\~f761dfc.~~~

Filesize
26KB

MD5
963202b867503df9d2722e03de0015d3

SHA1
ded23c11ac25523faf985c003605aeae029abd23

SHA256
89b10e95fc6c4bedc08e069d5cf536c808e81faabbc91d0ddf9a06eabc04bbc2

SHA512
dde18d6736ac0c59679ad3217d1a53e2adb0a5b9e43715ed6b5514cf61fbb1c0fff36d4bbd95f5bed7d797c7ed1061c49d070835ab41bfc06dd73de560a0899d

Download Submit
\Windows\SysWOW64\r18029.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1232-17-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2376-10-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/2592-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download