7e48ead38f4e2eb12b300072432b2d18fbc6cde0f66b314ce2d3008f4d6f88f9

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 07:32

Target

33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe
Size

9KB
MD5

33cd86f007b7b20439b3b33e8b8ab206
SHA1

3030372557652d2f23c3a63b22aef8c17d90f974
SHA256

7e48ead38f4e2eb12b300072432b2d18fbc6cde0f66b314ce2d3008f4d6f88f9
SHA512

4217a89840cfd288c524decd49a6c0228474bd5172ea262a175fcbd55960a8fdb3241bb09c75d93ca5c5b005f99ef20b18559a062be69b44efe799268b40a38c
SSDEEP

192:LEJn87LQXqTfJnq5cHgQOQuOzGi6nXpu671wZ9/8xUawAyzai2Bmap:YJ87seLkiAnXpug1WgUabiai2BmY

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
2864	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gdipro.dll	rundll32.exe
File created	C:\Windows\SysWOW64\sys06001.add	rundll32.exe
File created	C:\Windows\SysWOW64\gdipro.dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	2864	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2864	2844	33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2864	2844	33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2864	2844	33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2864	2844	33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2864	2844	33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2864	2844	33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2864	2844	33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2720	2864	rundll32.exe	31
PID 2864 wrote to memory of 2720	2864	rundll32.exe	31
PID 2864 wrote to memory of 2720	2864	rundll32.exe	31
PID 2864 wrote to memory of 2720	2864	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 C:\Users\Admin\AppData\Local\Temp\~f766d92.tmp INS C:\Users\Admin\AppData\Local\Temp\33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 288
    3⤵
    - Program crash
    PID:2720

C:\Users\Admin\AppData\Local\Temp\~f766d92.tmp

Filesize
34KB

MD5
cc2427cf85615918f2a39b6bcf025853

SHA1
4550f347097158be58edff4c5d6ca229af706cae

SHA256
ff862b4db92e441da4855a1e19325a36b6bb6088e7f63f3416bd6e9c21f49010

SHA512
ae5f9841babcf9cae024b4a2c4c611c758b2b638c5925da0943bd6fe08dfbb1ab2e1f5de9e1f061d8e188708cf70682a5461c288b81e7a18e290b72fdd58c210

Download Submit
memory/2864-4-0x0000000010012000-0x0000000010013000-memory.dmp

Filesize
4KB

Download
memory/2864-3-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download