8f67e42e2ca84519648560fc2004c8301133ce40518dbed8f66dba6b048d0f4e

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25fdc60d431d72d27b4b54a548b8750b_JaffaCakes118.exe
Size

598KB
MD5

25fdc60d431d72d27b4b54a548b8750b
SHA1

8fc984de445bd19f179e40a8f7fda88178f21ef6
SHA256

8f67e42e2ca84519648560fc2004c8301133ce40518dbed8f66dba6b048d0f4e
SHA512

25e79f95b4361594ea98cb75c130b2cc3fe0cca69c34760d72ccd60d0e472da5202ffbb6b340ba0ba182e26debfc17fb93e6455a1253b4f4c2b91a8d63460f0d
SSDEEP

12288:CoNFHAcSHwfzkYosJmDI7Od8xh2QTlipTqzClhPJF3euCJJa:LgcSHyzkq2IiQ8pTWClhPJFuuCJJa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2552	msn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 3428	2552	msn.exe	81

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\msn\msn.exe	25fdc60d431d72d27b4b54a548b8750b_JaffaCakes118.exe
File opened for modification	C:\Program Files\msn\msn.exe	25fdc60d431d72d27b4b54a548b8750b_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	25fdc60d431d72d27b4b54a548b8750b_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1484	3428	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	25fdc60d431d72d27b4b54a548b8750b_JaffaCakes118.exe
Token: SeDebugPrivilege	2552	msn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 3428	2552	msn.exe	81
PID 2552 wrote to memory of 3428	2552	msn.exe	81
PID 2552 wrote to memory of 3428	2552	msn.exe	81
PID 2552 wrote to memory of 3428	2552	msn.exe	81
PID 2552 wrote to memory of 3428	2552	msn.exe	81
PID 1548 wrote to memory of 2444	1548	25fdc60d431d72d27b4b54a548b8750b_JaffaCakes118.exe	85
PID 1548 wrote to memory of 2444	1548	25fdc60d431d72d27b4b54a548b8750b_JaffaCakes118.exe	85
PID 1548 wrote to memory of 2444	1548	25fdc60d431d72d27b4b54a548b8750b_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\25fdc60d431d72d27b4b54a548b8750b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25fdc60d431d72d27b4b54a548b8750b_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:2444

C:\Program Files\msn\msn.exe
"C:\Program Files\msn\msn.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\EXPLORER.EXE
  EXPLORER.EXE
  2⤵
  PID:3428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 12
    3⤵
    - Program crash
    PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3428 -ip 3428
1⤵
PID:4092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\msn\msn.exe

Filesize
598KB

MD5
25fdc60d431d72d27b4b54a548b8750b

SHA1
8fc984de445bd19f179e40a8f7fda88178f21ef6

SHA256
8f67e42e2ca84519648560fc2004c8301133ce40518dbed8f66dba6b048d0f4e

SHA512
25e79f95b4361594ea98cb75c130b2cc3fe0cca69c34760d72ccd60d0e472da5202ffbb6b340ba0ba182e26debfc17fb93e6455a1253b4f4c2b91a8d63460f0d

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
4e3be55bd853c899b36870693bc162f0

SHA1
315fb40658fad0a70e15be7e82151d67986d1be8

SHA256
bf09f109482c35a09174e69e39ddd5919e9873b2da41560d0155e16cbadfd759

SHA512
5655c16133ad9812081fb882731352d95318788d4efa5c680fb849d9d741e2b6591bf7ef83e54226977cfc45533423c40229ec80d8ca7858c0fa2cd6637359c2

Download Submit
memory/1548-0-0x0000000000401000-0x00000000004A3000-memory.dmp

Filesize
648KB

Download
memory/1548-1-0x0000000000400000-0x00000000005F393C-memory.dmp

Filesize
2.0MB

Download
memory/1548-2-0x0000000000400000-0x00000000005F393C-memory.dmp

Filesize
2.0MB

Download
memory/1548-3-0x0000000000400000-0x00000000005F393C-memory.dmp

Filesize
2.0MB

Download
memory/1548-4-0x0000000000400000-0x00000000005F393C-memory.dmp

Filesize
2.0MB

Download
memory/1548-7-0x0000000000400000-0x00000000005F393C-memory.dmp

Filesize
2.0MB

Download
memory/1548-8-0x0000000000400000-0x00000000005F393C-memory.dmp

Filesize
2.0MB

Download
memory/1548-14-0x0000000000401000-0x00000000004A3000-memory.dmp

Filesize
648KB

Download
memory/3428-11-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download