c803037796a5f186579d9df7729d13a9bac07abb852fe790049ca12188a55b93

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 07:04

Target

250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe
Size

389KB
MD5

250b8e3d2870944feb2993005ed56bd4
SHA1

98b43e7fcc71facf9c797fd66e4587505fe04f08
SHA256

c803037796a5f186579d9df7729d13a9bac07abb852fe790049ca12188a55b93
SHA512

5287f452eaacadac0995c36e05f52766347283ef8c8c69ec14226db0d2b9a5d04e30ad6fb4f1f9e8ef6fac4d070bcd6a26bc81d36714b22223ec84fdb6f205b4
SSDEEP

6144:q8/dZPMrMKnlj/QVlTtaf2n7swhJC59bmoQtOfMjx+FFbu4MgXql00:xZP3KN/wR8+7JJubmL9x+FFa4MKA00

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2492	Hacker.com.cn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 2540	2492	Hacker.com.cn.exe	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe
File created	C:\Windows\UNINSTAL.BAT	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe
Token: SeDebugPrivilege	2492	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2684	2316	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2684	2316	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2684	2316	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2684	2316	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2684	2316	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2684	2316	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2684	2316	250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2540	2492	Hacker.com.cn.exe	29
PID 2492 wrote to memory of 2540	2492	Hacker.com.cn.exe	29
PID 2492 wrote to memory of 2540	2492	Hacker.com.cn.exe	29
PID 2492 wrote to memory of 2540	2492	Hacker.com.cn.exe	29
PID 2492 wrote to memory of 2540	2492	Hacker.com.cn.exe	29
PID 2492 wrote to memory of 2540	2492	Hacker.com.cn.exe	29

C:\Users\Admin\AppData\Local\Temp\250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\250b8e3d2870944feb2993005ed56bd4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNINSTAL.BAT
  2⤵
  - Deletes itself
  PID:2684

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:2540

C:\Windows\Hacker.com.cn.exe

Filesize
389KB

MD5
250b8e3d2870944feb2993005ed56bd4

SHA1
98b43e7fcc71facf9c797fd66e4587505fe04f08

SHA256
c803037796a5f186579d9df7729d13a9bac07abb852fe790049ca12188a55b93

SHA512
5287f452eaacadac0995c36e05f52766347283ef8c8c69ec14226db0d2b9a5d04e30ad6fb4f1f9e8ef6fac4d070bcd6a26bc81d36714b22223ec84fdb6f205b4

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
214B

MD5
64b42d49b350aeb681aa507ee6fb128f

SHA1
c61c2f20062db0d2f62c4f7b788c4c55158bc9e5

SHA256
8c0b85698ad1fc72245f00c37edc8a73c9bab2b643d87638c447d2f2703780b9

SHA512
1718eef2cc9a723be69092df988fcd4a5cda02638e112cc5dbcf351ee2c18d2b44b2d66aca1e1c4435721ec9a4394fd80303ad4f833f9baea2dceede6d4a6278

Download Submit
memory/2316-0-0x00000000004CC000-0x00000000004CD000-memory.dmp

Filesize
4KB

Download
memory/2316-3-0x0000000000400000-0x00000000004DA1B0-memory.dmp

Filesize
872KB

Download
memory/2316-4-0x0000000000400000-0x00000000004DA1B0-memory.dmp

Filesize
872KB

Download
memory/2540-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-15-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2540-17-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download