af4bf5aa0670c2a30e407cc5e96c4fc383e4eb693fd0026df6b890677a41098d

Analysis

max time kernel
142s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 04:12

Target

2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe
Size

744KB
MD5

2497c3a5c0c1a9d45f2b9e3b470784a0
SHA1

c0f65ff69848da2e5ffca20d2ae30e6d6af4ffb1
SHA256

af4bf5aa0670c2a30e407cc5e96c4fc383e4eb693fd0026df6b890677a41098d
SHA512

8c9799118c62f41eea67a20601f0b9d0e374ee419db988d8fbc59e80189a4e6147095580fb04c852158493ec9ea43b3c502fc48c9eead5019db20360d81f71dc
SSDEEP

12288:KVCFgwOGkY0Wm3/hBCcLnTDUfyDF6k4gOxvSGOGzIWaETWUOSy:5gtWm5Ik3UfyDsk7ONSGOa7O

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2168	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2952	amdcpusetup.exe.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\amdcpusetup.exe.exe	2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe
File opened for modification	C:\Windows\amdcpusetup.exe.exe	2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe
File created	C:\Windows\61642520.BAT	2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2952	amdcpusetup.exe.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2952	amdcpusetup.exe.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2088	2952	amdcpusetup.exe.exe	29
PID 2952 wrote to memory of 2088	2952	amdcpusetup.exe.exe	29
PID 2952 wrote to memory of 2088	2952	amdcpusetup.exe.exe	29
PID 2952 wrote to memory of 2088	2952	amdcpusetup.exe.exe	29
PID 2880 wrote to memory of 2168	2880	2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2168	2880	2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2168	2880	2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2168	2880	2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2497c3a5c0c1a9d45f2b9e3b470784a0_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  PID:2168

C:\Windows\amdcpusetup.exe.exe
C:\Windows\amdcpusetup.exe.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2088

C:\Windows\61642520.BAT

Filesize
218B

MD5
431cc88f3315d9fd56ec0bd20f5ff525

SHA1
3f1d0383c2e66a79cf45e4121f9c9feece3f5d32

SHA256
33f15ce297483a805c4f4c502c2855cda9924d08364c78e3d0a00cdb13091707

SHA512
f3dac53d582f9428a003591c5a94a00fb4fc6cd133f595bea415aa8aba89163fb2809b523daacf0cb87eaace9f3d886c71b579f838cec841ec50654455ae43e3

Download Submit
C:\Windows\amdcpusetup.exe.exe

Filesize
744KB

MD5
2497c3a5c0c1a9d45f2b9e3b470784a0

SHA1
c0f65ff69848da2e5ffca20d2ae30e6d6af4ffb1

SHA256
af4bf5aa0670c2a30e407cc5e96c4fc383e4eb693fd0026df6b890677a41098d

SHA512
8c9799118c62f41eea67a20601f0b9d0e374ee419db988d8fbc59e80189a4e6147095580fb04c852158493ec9ea43b3c502fc48c9eead5019db20360d81f71dc

Download Submit
memory/2880-0-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2880-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2880-17-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2952-5-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2952-7-0x00000000002B0000-0x0000000000373000-memory.dmp

Filesize
780KB

Download
memory/2952-8-0x00000000002B0000-0x0000000000373000-memory.dmp

Filesize
780KB

Download
memory/2952-19-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download