359073e294a3bbf5fdf342444b027ede9f812a97fe4606c1feb963bc5cf5ea60

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 04:53

Target

37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe
Size

21KB
MD5

37c4e6644307ac4ec3be598fd3b35206
SHA1

2ba8cbf56a374971f3a9b0047bf3b65115cb0d64
SHA256

359073e294a3bbf5fdf342444b027ede9f812a97fe4606c1feb963bc5cf5ea60
SHA512

edb86d6bd16938173c84da798428da5c760d99c4872680419af9b5afcf07f7164cf7aafbc611846e6dae2bf157170a38079e4753c0623c50cff7301d70eba458
SSDEEP

384:X68HZsuGbFI68c/ge4BHB19wbgBS7Dx/jCeQqKJzA6fsVfZDRdc/kONP:jmlWn6gxBz9wR7DxbCwV66bdKX

Score

8^/10

upx

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	RiSing.exe

Executes dropped EXE 1 IoCs

pid	Process
872	RiSing.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3964-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/files/0x000a000000023495-7.dat	upx
behavioral2/memory/3964-6-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/872-10-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RiSing.exe	37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RiSing.exe	37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RiSing.exe	RiSing.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3964	37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	872	RiSing.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 872	3964	37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe	83
PID 3964 wrote to memory of 872	3964	37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe	83
PID 3964 wrote to memory of 872	3964	37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe	83
PID 3964 wrote to memory of 4868	3964	37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe	84
PID 3964 wrote to memory of 4868	3964	37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe	84
PID 3964 wrote to memory of 4868	3964	37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe	84
PID 872 wrote to memory of 3644	872	RiSing.exe	85
PID 872 wrote to memory of 3644	872	RiSing.exe	85
PID 872 wrote to memory of 3644	872	RiSing.exe	85

C:\Users\Admin\AppData\Local\Temp\37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37c4e6644307ac4ec3be598fd3b35206_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\SysWOW64\RiSing.exe
  "C:\Windows\system32\RiSing.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\RiSing.exe > nul
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\37C4E6~1.EXE > nul
  2⤵
  PID:4868

C:\Windows\SysWOW64\RiSing.exe

Filesize
21KB

MD5
37c4e6644307ac4ec3be598fd3b35206

SHA1
2ba8cbf56a374971f3a9b0047bf3b65115cb0d64

SHA256
359073e294a3bbf5fdf342444b027ede9f812a97fe4606c1feb963bc5cf5ea60

SHA512
edb86d6bd16938173c84da798428da5c760d99c4872680419af9b5afcf07f7164cf7aafbc611846e6dae2bf157170a38079e4753c0623c50cff7301d70eba458

Download Submit
C:\Windows\SysWOW64\drivers\beep.sys

Filesize
3KB

MD5
45cb3e0071b0c0f15aad05ecc2fd89e5

SHA1
4d95c7ac6b69ceb591e9246eda9fe9264ed12f29

SHA256
9d04b715127a9ae9169eb2c2f919831359f56e4337c7ffbd753c3309f6f1ab70

SHA512
70016e21ae0da7e6e1e85d9c76990c9f87592230a3e09862e78d7097a72b101510fb5d4a5014d95ef3bc0d65a684a10ba8ccc9826fcbc4247d575c2f8d1bbb33

Download Submit
memory/872-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3964-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3964-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download