27b35e6cd3bf25ac1dde6a0ab3cc54f32c354b2b12d2473b592289e7125f8994

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe
Size

290KB
MD5

21e0d1847d1c1b7bcbea67f7ea566482
SHA1

964b5907665f04b5775b583af24fce963cf286f5
SHA256

27b35e6cd3bf25ac1dde6a0ab3cc54f32c354b2b12d2473b592289e7125f8994
SHA512

c2229b8ea84b8744357b92d537ee5ac8cc0ecd0d3e6100641a1d39d4051870ce43655f515e527a07a90f5812ed3c438a9b39e00f49b56bc685e71ba56b2c2552
SSDEEP

6144:i27v2Ers5O+WbUe8rzEdk+HsexRFvI9Mk21RSkHCUfYlZTZlU7nX4/xkde2wHrJ:T7v2+su6MdkovxTI9l+0jUfKZFK7XqCi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2060	iceker

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 1048	2060	iceker	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\UNINSTAL.BAT	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe
File created	C:\Windows\iceker	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe
File opened for modification	C:\Windows\iceker	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe
Token: SeDebugPrivilege	2060	iceker

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2724	1704	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2724	1704	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2724	1704	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2724	1704	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2724	1704	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2724	1704	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2724	1704	21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe	30
PID 2060 wrote to memory of 1048	2060	iceker	29
PID 2060 wrote to memory of 1048	2060	iceker	29
PID 2060 wrote to memory of 1048	2060	iceker	29
PID 2060 wrote to memory of 1048	2060	iceker	29
PID 2060 wrote to memory of 1048	2060	iceker	29
PID 2060 wrote to memory of 1048	2060	iceker	29

C:\Users\Admin\AppData\Local\Temp\21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21e0d1847d1c1b7bcbea67f7ea566482_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNINSTAL.BAT
  2⤵
  - Deletes itself
  PID:2724

C:\Windows\iceker
C:\Windows\iceker
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:1048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\UNINSTAL.BAT

Filesize
214B

MD5
d7eeac93fd8c4713250ff85d2fc45694

SHA1
dc9e9f2873ac0ffe8777fb4f6a44898917863a7a

SHA256
fe91514e95ae6d421122914b82d4ccda69d57dd87685d0f326565e6ad8d113e8

SHA512
630acaf04e31c4423e558f694ac25710e81281b583649866186b542cd8b89f38547f0cdf59952245d6cf74e91ffb1b93847ae01972a50ad58ea9ee33bff6578e

Download Submit
C:\Windows\iceker

Filesize
290KB

MD5
21e0d1847d1c1b7bcbea67f7ea566482

SHA1
964b5907665f04b5775b583af24fce963cf286f5

SHA256
27b35e6cd3bf25ac1dde6a0ab3cc54f32c354b2b12d2473b592289e7125f8994

SHA512
c2229b8ea84b8744357b92d537ee5ac8cc0ecd0d3e6100641a1d39d4051870ce43655f515e527a07a90f5812ed3c438a9b39e00f49b56bc685e71ba56b2c2552

Download Submit
memory/1048-24-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1048-22-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1048-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1704-3-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1704-4-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1704-19-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1704-0-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1704-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1704-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2060-8-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2060-10-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2060-9-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2060-26-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download