bfde7fa0e690f0c905c26e14a692ebe8bec7df99c66c2b652c3d871296063306

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 00:11

Target

3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe
Size

742KB
MD5

3b44e831ee4573d532e85b0251600383
SHA1

1778713d0fb78dc2de530516b09e74454beb12af
SHA256

bfde7fa0e690f0c905c26e14a692ebe8bec7df99c66c2b652c3d871296063306
SHA512

a51d04ce28f39c4bce69d4223742258dc2596862bee42a08fba2eae0aa197f26dd8002e126de147806d90015f8b1f57bb98772a4d645092b485d20f8d43581d8
SSDEEP

12288:WRyLSFkU4u/n/tcEW5A0zyzvJwQ5oAlK+G6wvYhIk6bQQ52LuRg08jjVyZzZ:iKNU4ufeEW5A22Jr/kowvyIk6Bm0

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2500	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1464	system32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 884	1464	system32.exe	31

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32.exe	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe
File opened for modification	C:\Windows\system32.exe	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe
Token: SeDebugPrivilege	1464	system32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 884	1464	system32.exe	31
PID 1464 wrote to memory of 884	1464	system32.exe	31
PID 1464 wrote to memory of 884	1464	system32.exe	31
PID 1464 wrote to memory of 884	1464	system32.exe	31
PID 1464 wrote to memory of 884	1464	system32.exe	31
PID 1464 wrote to memory of 884	1464	system32.exe	31
PID 2440 wrote to memory of 2500	2440	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2500	2440	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2500	2440	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2500	2440	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2500	2440	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2500	2440	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2500	2440	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2500

C:\Windows\system32.exe
C:\Windows\system32.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:884

C:\Windows\system32.exe

Filesize
742KB

MD5
3b44e831ee4573d532e85b0251600383

SHA1
1778713d0fb78dc2de530516b09e74454beb12af

SHA256
bfde7fa0e690f0c905c26e14a692ebe8bec7df99c66c2b652c3d871296063306

SHA512
a51d04ce28f39c4bce69d4223742258dc2596862bee42a08fba2eae0aa197f26dd8002e126de147806d90015f8b1f57bb98772a4d645092b485d20f8d43581d8

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
878549a3a3b65e162a67d1c2b4546167

SHA1
b9a0f6ef88800fe23cf91f9782e7ca4cb5089639

SHA256
b76ada053d3745892de6c13a2270e74fdb5fe62ffb7a6e2a46c021dc676fe539

SHA512
ad204ec30e3e2c889555a87954a21d0b15aecdde13c30c9db53201e8278e5e1c35c2d39fe43a8bdc0dbea05475772f26f914d280f1d3e34cea974ba2add25dbe

Download Submit
memory/884-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/884-10-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/884-8-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1464-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1464-20-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2440-0-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2440-18-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download