96b9f7365c11dc3a4971685fa551a6683f39d2bb8d57a4540d702e7f8baba90f

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 08:39

Target

21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
Size

86KB
MD5

21bbd05a98988cd3ad21dfc3668736fd
SHA1

7e2d04c877ff7543b74ca89fccdbb0899cd22378
SHA256

96b9f7365c11dc3a4971685fa551a6683f39d2bb8d57a4540d702e7f8baba90f
SHA512

bf6b835dace31b867ab2faeaac2f7bd5616b70fac15edb4016e36dd118f62221e466e7d308a0d0f4327df423dd1f12e754ed199b38e16fbb883baac7f8c1bfe0
SSDEEP

1536:rasi8aHYEYcLXb9xw9PogDnmT2t4Y6GbWwAMu/4umceyyLsuK:+sirYEYcLrDAbS2yY3clQuH5isT

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\wrdoor0.dll	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\wrdoor0.dll	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6BBDC08-97D4-750B-4624-E9866DAD3B56}	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6BBDC08-97D4-750B-4624-E9866DAD3B56}\ooExeModuleName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe"	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6BBDC08-97D4-750B-4624-E9866DAD3B56}\ooDllModuleName = "C:\\Windows\\Fonts\\wrdoor0.dll"	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6BBDC08-97D4-750B-4624-E9866DAD3B56}\ooSobjEventName = "VBCFGDRTERSSDMN_0"	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe
1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1188	1912	21bbd05a98988cd3ad21dfc3668736fd_JaffaCakes118.exe	21

\Windows\Fonts\wrdoor0.dll

Filesize
254KB

MD5
e634d70bf5d1b356fab4baeaaacb720c

SHA1
eda8f3f3f33ce50d8c0db683ab2a18133a3a7a89

SHA256
2ab0add9b5695a3b2d955dcc4d60a297e6aea07814b9f8275559972e6d99bc6b

SHA512
083aa08b94ca7f23c4f6f2f6535f0af83c1e287f4b1997a62c45df0fe06a6357f4f85c348139cac79e3043fde30ca1fc00640148ae851c3e32f31b9b87214287

Download Submit
memory/1188-4-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1912-5-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download