5634dbeae32cac1541561e69aa924af9b10f13e707539766a767553bd994e179

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe
Size

227KB
MD5

2880d9cb54d2f146b388ba78a023ff85
SHA1

b2a7f2e42eb3da11951269d0b3749c33c69949db
SHA256

5634dbeae32cac1541561e69aa924af9b10f13e707539766a767553bd994e179
SHA512

9422c6342f51631ba8c97c8586bb49445188d34eb25b9fc5e2815da27b824fd38a5e6db710e34af709c98744b0d17d797c7b597b3643583dc6b80baeee4af7e5
SSDEEP

6144:jVbu/GbFUqgWWMxlA2ZG5LK91fjwSkVMpVEQobXV:U/4JvzT17JQSGQ6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 2796	2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe
2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe
2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe
336	csrss.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe
Token: SeDebugPrivilege	2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeSystemtimePrivilege	844	svchost.exe
Token: SeBackupPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeShutdownPrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeUndockPrivilege	844	svchost.exe
Token: SeManageVolumePrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	844	svchost.exe
Token: SeIncreaseQuotaPrivilege	844	svchost.exe
Token: SeSecurityPrivilege	844	svchost.exe
Token: SeTakeOwnershipPrivilege	844	svchost.exe
Token: SeLoadDriverPrivilege	844	svchost.exe
Token: SeRestorePrivilege	844	svchost.exe
Token: SeSystemEnvironmentPrivilege	844	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 336	2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe	2
PID 2276 wrote to memory of 2796	2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2796	2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2796	2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2796	2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2796	2276	2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe	30
PID 336 wrote to memory of 844	336	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Users\Admin\AppData\Local\Temp\2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2880d9cb54d2f146b388ba78a023ff85_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
7e66fbfeae2aae8b7dbc5b98de1ec273

SHA1
5775fc241d60b2c47e9691593db0b687c81200ef

SHA256
18b424b2a8479512609b9df40408d08120205060206f8a1ee33a805e8e014d59

SHA512
b88343d61f116769fb81639d54c7b2ede362c6149a65c756358b3d4e7c74ab998d06a213552c482db57870be1bf0de601b1fbe5a0d605e4b902aa35226e239ce

Download Submit
memory/336-23-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/336-32-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/336-26-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/336-25-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/844-42-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/844-34-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/844-51-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/844-52-0x00000000008D0000-0x00000000008DB000-memory.dmp

Filesize
44KB

Download
memory/844-44-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/844-43-0x00000000008D0000-0x00000000008DB000-memory.dmp

Filesize
44KB

Download
memory/844-38-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/2276-17-0x0000000001F50000-0x0000000001F96000-memory.dmp

Filesize
280KB

Download
memory/2276-5-0x0000000001F50000-0x0000000001F96000-memory.dmp

Filesize
280KB

Download
memory/2276-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-16-0x0000000001F50000-0x0000000001F96000-memory.dmp

Filesize
280KB

Download
memory/2276-31-0x000000000042E000-0x0000000000431000-memory.dmp

Filesize
12KB

Download
memory/2276-30-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-1-0x000000000042E000-0x0000000000431000-memory.dmp

Filesize
12KB

Download
memory/2276-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-13-0x0000000001F50000-0x0000000001F96000-memory.dmp

Filesize
280KB

Download
memory/2276-14-0x0000000001F50000-0x0000000001F96000-memory.dmp

Filesize
280KB

Download
memory/2276-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-18-0x0000000001F50000-0x0000000001F96000-memory.dmp

Filesize
280KB

Download
memory/2276-15-0x0000000001F50000-0x0000000001F96000-memory.dmp

Filesize
280KB

Download
memory/2276-9-0x0000000001F50000-0x0000000001F96000-memory.dmp

Filesize
280KB

Download