7e48ead38f4e2eb12b300072432b2d18fbc6cde0f66b314ce2d3008f4d6f88f9

Analysis

max time kernel
95s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 07:32

Target

33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe
Size

9KB
MD5

33cd86f007b7b20439b3b33e8b8ab206
SHA1

3030372557652d2f23c3a63b22aef8c17d90f974
SHA256

7e48ead38f4e2eb12b300072432b2d18fbc6cde0f66b314ce2d3008f4d6f88f9
SHA512

4217a89840cfd288c524decd49a6c0228474bd5172ea262a175fcbd55960a8fdb3241bb09c75d93ca5c5b005f99ef20b18559a062be69b44efe799268b40a38c
SSDEEP

192:LEJn87LQXqTfJnq5cHgQOQuOzGi6nXpu671wZ9/8xUawAyzai2Bmap:YJ87seLkiAnXpug1WgUabiai2BmY

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1532	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sys06001.add	rundll32.exe
File created	C:\Windows\SysWOW64\gdipro.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\gdipro.dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4616	1532	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 1532	5088	33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe	81
PID 5088 wrote to memory of 1532	5088	33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe	81
PID 5088 wrote to memory of 1532	5088	33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 C:\Users\Admin\AppData\Local\Temp\~e57a19f.tmp INS C:\Users\Admin\AppData\Local\Temp\33cd86f007b7b20439b3b33e8b8ab206_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 636
    3⤵
    - Program crash
    PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1532 -ip 1532
1⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\~e57a19f.tmp

Filesize
34KB

MD5
cc2427cf85615918f2a39b6bcf025853

SHA1
4550f347097158be58edff4c5d6ca229af706cae

SHA256
ff862b4db92e441da4855a1e19325a36b6bb6088e7f63f3416bd6e9c21f49010

SHA512
ae5f9841babcf9cae024b4a2c4c611c758b2b638c5925da0943bd6fe08dfbb1ab2e1f5de9e1f061d8e188708cf70682a5461c288b81e7a18e290b72fdd58c210

Download Submit
memory/1532-3-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download