7f6af56e6d195bdfaa5184a9bf6432b5d486340c32cf48d4decebd2574ad0933

Analysis

max time kernel
142s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 22:19

Target

32321d6fb8e4c1b2d352efc33574593f_JaffaCakes118.exe
Size

301KB
MD5

32321d6fb8e4c1b2d352efc33574593f
SHA1

3550797aa0be8d697b7762e372fea3db0e67745c
SHA256

7f6af56e6d195bdfaa5184a9bf6432b5d486340c32cf48d4decebd2574ad0933
SHA512

276041a9980e306b9044820830bc500bc1ff88bf4dc57228675a4164c6996cfdcbd1df71a92838eb0369feae592b6827b839b27dcec97c2671b8866c9d037ca5
SSDEEP

6144:D0u+iTNxTCYLxRy3MSGaLsojXDbKn4XzMXQIavpGJccl8WqodZMY+CSMhP:D0uxN0YLxqDLs8GnAEQIavGcGxqodZfn

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1712	cftmon.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\cftmon.exe	32321d6fb8e4c1b2d352efc33574593f_JaffaCakes118.exe
File opened for modification	C:\Windows\cftmon.exe	32321d6fb8e4c1b2d352efc33574593f_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	32321d6fb8e4c1b2d352efc33574593f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	32321d6fb8e4c1b2d352efc33574593f_JaffaCakes118.exe
Token: SeDebugPrivilege	1712	cftmon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1712	cftmon.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1652	1712	cftmon.exe	85
PID 1712 wrote to memory of 1652	1712	cftmon.exe	85
PID 1568 wrote to memory of 4144	1568	32321d6fb8e4c1b2d352efc33574593f_JaffaCakes118.exe	86
PID 1568 wrote to memory of 4144	1568	32321d6fb8e4c1b2d352efc33574593f_JaffaCakes118.exe	86
PID 1568 wrote to memory of 4144	1568	32321d6fb8e4c1b2d352efc33574593f_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\32321d6fb8e4c1b2d352efc33574593f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\32321d6fb8e4c1b2d352efc33574593f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4144

C:\Windows\cftmon.exe
C:\Windows\cftmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1652

C:\Windows\cftmon.exe

Filesize
301KB

MD5
32321d6fb8e4c1b2d352efc33574593f

SHA1
3550797aa0be8d697b7762e372fea3db0e67745c

SHA256
7f6af56e6d195bdfaa5184a9bf6432b5d486340c32cf48d4decebd2574ad0933

SHA512
276041a9980e306b9044820830bc500bc1ff88bf4dc57228675a4164c6996cfdcbd1df71a92838eb0369feae592b6827b839b27dcec97c2671b8866c9d037ca5

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
6f95bff4c4df8840dd2ddb0e77e69a11

SHA1
7f3a86ebfbe045c3fd1a1222f22e630ec1b11b59

SHA256
fcbe2b3200bd4b2504ca8d8e96eb4b68875de2342965011ad6c22b3e157eec1b

SHA512
487a28bdee135dbd9f52dbe53ca91dc1ad02087e83a75b5945a08958c860be4accf81901636171c58cf13e0e05ba7fba2ede6ecc5a109b9844bc6ed5fa31e8ed

Download Submit
memory/1568-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1568-1-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1568-9-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1712-6-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1712-11-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1712-13-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download