76630c4de7fab2a16b40846bf2d0bde8eed688e3b9cdd5548afc7bdf01c95679

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 08:37

Target

254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe
Size

309KB
MD5

254d4d137b8f3e1af271e80f25e8b042
SHA1

e945fcb775e72cfc24a8129a3987aeec2135992d
SHA256

76630c4de7fab2a16b40846bf2d0bde8eed688e3b9cdd5548afc7bdf01c95679
SHA512

840889ed22d568e2c49f0b0ded7fccd13073cddbb7e0a970f73143a029a3ad59bdd1004a243c7c3e0ca063e7450eb3e762a18997d9163ccb46b1a1f75197897e
SSDEEP

6144:c0QPWMDpuo2ZARuX355QjYUBJ/Pzcm3WHN69S8XM+yNlH:cAOuHp+5QgWo9S8XMND

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\tasks\svchost.exe	254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe
File opened for modification	C:\Windows\tasks\svchost.exe	254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe
File created	C:\Windows\004A0AAF.BAT	254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe
Token: SeDebugPrivilege	2892	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2892	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2268	2352	254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2268	2352	254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2268	2352	254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2268	2352	254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\254d4d137b8f3e1af271e80f25e8b042_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\004A0AAF.BAT
  2⤵
  - Deletes itself
  PID:2268

C:\Windows\004A0AAF.BAT

Filesize
218B

MD5
2b0f6528a03a950ed0985cba26d063c6

SHA1
9756e0f58e4d74fdffb1742d7018d49d072c9207

SHA256
987ec5493df164ab5f1699b46aa0ddf6b77fd0e49b86368c0aaf628d103ad6fc

SHA512
c84efeb97f177b129b5ea3ab8be2f2fd1d721610b64a0ac4f059e75e2be92e05a015d069bb71167d4f676bbf27ab92c9f6755aa30240db5deeb364b3148eff99

Download Submit
C:\Windows\Tasks\svchost.exe

Filesize
309KB

MD5
254d4d137b8f3e1af271e80f25e8b042

SHA1
e945fcb775e72cfc24a8129a3987aeec2135992d

SHA256
76630c4de7fab2a16b40846bf2d0bde8eed688e3b9cdd5548afc7bdf01c95679

SHA512
840889ed22d568e2c49f0b0ded7fccd13073cddbb7e0a970f73143a029a3ad59bdd1004a243c7c3e0ca063e7450eb3e762a18997d9163ccb46b1a1f75197897e

Download Submit
memory/2352-0-0x0000000000400000-0x00000000004C3400-memory.dmp

Filesize
781KB

Download
memory/2352-1-0x0000000000400000-0x00000000004C3400-memory.dmp

Filesize
781KB

Download
memory/2352-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2352-18-0x0000000000400000-0x00000000004C3400-memory.dmp

Filesize
781KB

Download
memory/2892-7-0x0000000000400000-0x00000000004C3400-memory.dmp

Filesize
781KB

Download
memory/2892-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2892-20-0x0000000000400000-0x00000000004C3400-memory.dmp

Filesize
781KB

Download
memory/2892-22-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download