f084a3e8bd28a5eb68e53f46db405d7a97d5f7ca929340e63aed0354f4a66ba0

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe
Size

281KB
MD5

257fb92e6f6b854694760dbd5bf32db6
SHA1

0bd1d0248d79e9e11e15137cf5b695f837c8fa87
SHA256

f084a3e8bd28a5eb68e53f46db405d7a97d5f7ca929340e63aed0354f4a66ba0
SHA512

58508e975e0375c564f653defeb748157c3bcac4a59723ae044f6e5d42e7bbac27ce7fbdd09a6d124d5709b0346afe7a6e38d3fbb3084f52576553a5df521efb
SSDEEP

6144:79mBj6B6kQu1WTminflPN80PxyoRKA3c+GKpbN0e3v0tP6IFo:JV6k+Tmin80PTcmv3Ml6Qo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	smss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 2312	2160	smss.exe	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe
File created	C:\Windows\smss.exe	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe
File opened for modification	C:\Windows\smss.exe	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe
Token: SeDebugPrivilege	2160	smss.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2312	2160	smss.exe	29
PID 2160 wrote to memory of 2312	2160	smss.exe	29
PID 2160 wrote to memory of 2312	2160	smss.exe	29
PID 2160 wrote to memory of 2312	2160	smss.exe	29
PID 2160 wrote to memory of 2312	2160	smss.exe	29
PID 2160 wrote to memory of 2312	2160	smss.exe	29
PID 1276 wrote to memory of 2852	1276	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2852	1276	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2852	1276	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2852	1276	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2852	1276	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2852	1276	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2852	1276	257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\257fb92e6f6b854694760dbd5bf32db6_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2852

C:\Windows\smss.exe
C:\Windows\smss.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\windows\SysWOW64\svchost.exe
  C:\windows\system32\svchost.exe
  2⤵
  PID:2312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\smss.exe

Filesize
281KB

MD5
257fb92e6f6b854694760dbd5bf32db6

SHA1
0bd1d0248d79e9e11e15137cf5b695f837c8fa87

SHA256
f084a3e8bd28a5eb68e53f46db405d7a97d5f7ca929340e63aed0354f4a66ba0

SHA512
58508e975e0375c564f653defeb748157c3bcac4a59723ae044f6e5d42e7bbac27ce7fbdd09a6d124d5709b0346afe7a6e38d3fbb3084f52576553a5df521efb

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
26485b237ac08c77b5b75b0c83901f92

SHA1
b461e70e1dace30da56adfe0250506e59c2de8fa

SHA256
eb4e7976d5faa2fecab1b559c9ad537799566b62bde16fa627149fa86f16692d

SHA512
803ccc8313006b9acc31936e1ea152d36387f83be4cd1b4d8d157e5a7a190e504dae95b3712f925f27644883a2a6ee65af1b54fad5696334edc2ecf95d6ab499

Download Submit
memory/1276-1-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1276-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1276-3-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1276-22-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1276-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2160-7-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2160-8-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2160-24-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2312-12-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2312-14-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2312-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download