992ba58cf87b4b307362ff41b64fc8f99c5186079f88ee5daf5b999f693af2db

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 00:56

Target

29a079948174116c25df96b80238c07f_JaffaCakes118.exe
Size

151KB
MD5

29a079948174116c25df96b80238c07f
SHA1

5e50326fa7e6ff9650971052adb8124eae0c621d
SHA256

992ba58cf87b4b307362ff41b64fc8f99c5186079f88ee5daf5b999f693af2db
SHA512

2dcdb67881f7ec9ae55631eabfc3385b3eaf9eeaf842565ce66feb56ca2bd3e125b97b74941b4d784e4a1c2216878a1b191c66fa64fd2a623c632259d973ee75
SSDEEP

3072:OfPyc9y35l5cFtSkkT53t+ImJvBKiuDTcZXah0YMq5kSs:O3V9y3/ctSkkTR7mzoWXYrC

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1652	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\freecpa.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\freecpa.dll	regsvr32.exe

Drops file in Windows directory 3 IoCs

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1560	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	regsvr32.exe
Token: SeDebugPrivilege	1560	regsvr32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1560	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1560	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1560	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1560	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1560	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1560	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1560	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	30
PID 1560 wrote to memory of 1204	1560	regsvr32.exe	21
PID 2420 wrote to memory of 1652	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	31
PID 2420 wrote to memory of 1652	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	31
PID 2420 wrote to memory of 1652	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	31
PID 2420 wrote to memory of 1652	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2232	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2232	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2232	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2232	2420	29a079948174116c25df96b80238c07f_JaffaCakes118.exe	32

C:\Windows\OYA.bat

Filesize
53B

MD5
bd8acf285d4f871236e232fccfb16d38

SHA1
271c40bdb1a4e92278756911016a0ad7b17b6914

SHA256
b7b5ba6b72dc5e61ce416bd8a78ec3965bbcee380ac6e05ae95eca15ce2dafd7

SHA512
349c7c0dbf2ddb920a6cf4ee510ffb05a382a10d5dfbd47a0aade44e2c8f30e94ebc11b06e6b56c08b661448087e2d4b4e699b7ce922a8344181f11d4cfe5fc1

Download Submit
C:\Windows\VUX.dll

Filesize
132KB

MD5
a8e72bd0dc3ed31386071b9ec11c6ab7

SHA1
5b4e351310d2aa2b92ae15c6dce666efaac0b4a9

SHA256
6112c4f46405cd336e93b148e33dfbda6eb0d9f3c32a63c8f727a6b48e2332c1

SHA512
9f2ffcce239cee78694ef6a4f774fcdecb038ac87dad54ca3a7eb31dc062a988498201ec3aac0e5cb159324962750e67c0296ec10a35a84923e2130aee22e1f5

Download Submit
memory/1204-5-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1560-2-0x0000000000160000-0x0000000000188000-memory.dmp

Filesize
160KB

Download
memory/2420-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download