b0385b4e7a5f9723398549305185fb246a13135bfd92574e8fc64b75a11be53a

Analysis

max time kernel
134s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 01:18

Target

2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
Size

208KB
MD5

2423171cb88f7063942c4d30dd8f76db
SHA1

f506f4a108ff0ad25cf4bbd8f4dca01cd84ef675
SHA256

b0385b4e7a5f9723398549305185fb246a13135bfd92574e8fc64b75a11be53a
SHA512

1df92c7f851ad254381006d3239159451a48fec5ba14516692c055e6014db07f172812a53ae3d20943e8b788d693e175808350d265498674d267809ca8a6539e
SSDEEP

1536:PDlTsrr7iKpTdx01CninHK0BtUwQTSO3uhldDNhJahnZfh972/n9KEsquXNangJi:9SK2/0Un0K0BLvO4nDmokSto2

Score

8^/10

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\uwickwksa.dat	pt.exe

Executes dropped EXE 2 IoCs

pid	Process
3164	pm.exe
4652	pt.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\imm32.dll	pt.exe
File created	C:\Windows\SysWOW64\kb18411911.dll	pt.exe
File opened for modification	C:\Windows\SysWOW64\kb18411911.dll	pt.exe
File opened for modification	C:\Windows\SysWOW64\wsconfig.db	pt.exe
File created	C:\Windows\SysWOW64\imm32.dll.bak	pt.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system\pm.exe	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system\pt.exe	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4652	pt.exe
4652	pt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	pt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2060	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
3164	pm.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3164	2060	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	82
PID 2060 wrote to memory of 3164	2060	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	82
PID 2060 wrote to memory of 3164	2060	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	82
PID 2060 wrote to memory of 4652	2060	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	83
PID 2060 wrote to memory of 4652	2060	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	83
PID 2060 wrote to memory of 4652	2060	2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe	83
PID 4652 wrote to memory of 560	4652	pt.exe	84
PID 4652 wrote to memory of 560	4652	pt.exe	84
PID 4652 wrote to memory of 560	4652	pt.exe	84

C:\Windows\System\pm.exe

Filesize
168KB

MD5
646c4713aa658d4dcc175efd717f71e8

SHA1
33aeaf80c541fca2a49883bacc1c0d4ceffe9b0b

SHA256
66b832132dd451af542aa875297cd63c7609d6efe2760eea38298e370c94478d

SHA512
aab93f9c9009b08a582cc0ccaef623c94a98b83fd2f53aa23f8476ee686bcde1ed49e9e27f7b1d69f3e9f7192ea2453e120991046a567029a9e3980af58cd61d

Download Submit
C:\Windows\System\pt.exe

Filesize
13KB

MD5
90a88f8901863fb5cd511bec0573ea73

SHA1
9f613a65246230ffceb9db77165219686d00bb03

SHA256
f68b882a136314c5263b7f8b0e348cc00be742273302e315d570bc0389b2b803

SHA512
28e3595c295b2a8de2661eaa1de7b4837e5da5ca5ab59c9a16f3527b3e1d8f7af05f069a206275b2bee2ec257f85267232a83023d9ef091a3db2020bc14c7ac1

Download Submit
\??\c:\dele573856.bat

Filesize
115B

MD5
4638ab4058e6ccdd8a7a87fa1a8de930

SHA1
b1cd02b98ace9249e32286d25fa72ffc0bae0ba7

SHA256
c252fa28eb1efaf195dc2e9d90e0f9ca320a5f4eb63114e07df62992231ec60a

SHA512
1b518965c681c983e69c3de9643680521ace5b753233a60f6d2e364357404c4efa9fffad6062630ef3e2b54fd4d4e2f61a9e9681c7707a6e0d871cb8452be581

Download Submit
memory/4652-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4652-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download