293fab758a415b9974ab37d05c46840453d3b19bc8b17ccd5ca87a89d75a1684

Analysis

max time kernel
142s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe
Size

633KB
MD5

36626fc09c3aa85b20e32b87003bf010
SHA1

7fb76c8dfdcd827691b8a18ddaa0de2029a58f1e
SHA256

293fab758a415b9974ab37d05c46840453d3b19bc8b17ccd5ca87a89d75a1684
SHA512

0703e1e40f2a97c057f18f03cf4e0c3640955ef3dc0d1ba59f216087a6ea38f71edf4ac262e06068d34a96d1a29b19939e715551cbdce24dee037eae437dd919
SSDEEP

12288:7lMg+l9YDAkGW0+WSyOFa4NMSnfy0cF0f6/FcF3Z4mxxjDqVTVOCdXY:7lMXlkb0+zqCMSnfyBKf6aQmXKVTzJY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchos.exe

pid process

2548 svchos.exe

pid	process
2548	svchos.exe

Drops file in Windows directory 3 IoCs

Processes:

36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\svchos.exe	36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe
File opened for modification	C:\Windows\svchos.exe	36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exesvchos.exe

description pid process

Token: SeDebugPrivilege 540 36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe
Token: SeDebugPrivilege 2548 svchos.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchos.exe

pid process

2548 svchos.exe

description	pid	process
Token: SeDebugPrivilege	540	36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe
Token: SeDebugPrivilege	2548	svchos.exe

pid	process
2548	svchos.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

svchos.exe36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe

description	pid	process	target process
PID 2548 wrote to memory of 1804	2548	svchos.exe	ieXplorE.ExE
PID 2548 wrote to memory of 1804	2548	svchos.exe	ieXplorE.ExE
PID 540 wrote to memory of 3360	540	36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe	cmd.exe
PID 540 wrote to memory of 3360	540	36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe	cmd.exe
PID 540 wrote to memory of 3360	540	36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
2⤵
PID:3360

C:\Windows\svchos.exe
C:\Windows\svchos.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2548

C:\Program Files\Internet Explorer\ieXplorE.ExE
"C:\Program Files\Internet Explorer\ieXplorE.ExE"
2⤵
PID:1804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchos.exe

Filesize
633KB

MD5
36626fc09c3aa85b20e32b87003bf010

SHA1
7fb76c8dfdcd827691b8a18ddaa0de2029a58f1e

SHA256
293fab758a415b9974ab37d05c46840453d3b19bc8b17ccd5ca87a89d75a1684

SHA512
0703e1e40f2a97c057f18f03cf4e0c3640955ef3dc0d1ba59f216087a6ea38f71edf4ac262e06068d34a96d1a29b19939e715551cbdce24dee037eae437dd919

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
9e5fc10534790d51300445bff90f17c4

SHA1
3b09427d324a88c89bb320422abeb40cb0ef75f7

SHA256
b870eacdb4f3e018331e0f03b690f0ec90f3b3f8c55f97bce6e2795036f0c1ac

SHA512
e221580bd83ccf94f7259d73b2b4b638aa184ceaf08356cf33c08eaac1791829896a8da9c460d743bf92dbeac48016ce14a24ae821822e6b8f2d6cd8cb5350e6

Download Submit
memory/540-8-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/540-17-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/540-13-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/540-14-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/540-12-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/540-11-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/540-10-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/540-9-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/540-0-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/540-15-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/540-7-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/540-3-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/540-16-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/540-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/540-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/540-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/540-2-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/540-24-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/540-25-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/540-1-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/2548-27-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download