bfde7fa0e690f0c905c26e14a692ebe8bec7df99c66c2b652c3d871296063306

Analysis

max time kernel
139s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 00:11

Target

3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe
Size

742KB
MD5

3b44e831ee4573d532e85b0251600383
SHA1

1778713d0fb78dc2de530516b09e74454beb12af
SHA256

bfde7fa0e690f0c905c26e14a692ebe8bec7df99c66c2b652c3d871296063306
SHA512

a51d04ce28f39c4bce69d4223742258dc2596862bee42a08fba2eae0aa197f26dd8002e126de147806d90015f8b1f57bb98772a4d645092b485d20f8d43581d8
SSDEEP

12288:WRyLSFkU4u/n/tcEW5A0zyzvJwQ5oAlK+G6wvYhIk6bQQ52LuRg08jjVyZzZ:iKNU4ufeEW5A22Jr/kowvyIk6Bm0

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2512	system32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2136	2512	system32.exe	87

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32.exe	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe
File opened for modification	C:\Windows\system32.exe	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3488	2136	WerFault.exe	87

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe
Token: SeDebugPrivilege	2512	system32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2136	2512	system32.exe	87
PID 2512 wrote to memory of 2136	2512	system32.exe	87
PID 2512 wrote to memory of 2136	2512	system32.exe	87
PID 2512 wrote to memory of 2136	2512	system32.exe	87
PID 2512 wrote to memory of 2136	2512	system32.exe	87
PID 432 wrote to memory of 4876	432	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe	89
PID 432 wrote to memory of 4876	432	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe	89
PID 432 wrote to memory of 4876	432	3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b44e831ee4573d532e85b0251600383_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2136 -ip 2136
1⤵
PID:1156

C:\Windows\system32.exe

Filesize
742KB

MD5
3b44e831ee4573d532e85b0251600383

SHA1
1778713d0fb78dc2de530516b09e74454beb12af

SHA256
bfde7fa0e690f0c905c26e14a692ebe8bec7df99c66c2b652c3d871296063306

SHA512
a51d04ce28f39c4bce69d4223742258dc2596862bee42a08fba2eae0aa197f26dd8002e126de147806d90015f8b1f57bb98772a4d645092b485d20f8d43581d8

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
878549a3a3b65e162a67d1c2b4546167

SHA1
b9a0f6ef88800fe23cf91f9782e7ca4cb5089639

SHA256
b76ada053d3745892de6c13a2270e74fdb5fe62ffb7a6e2a46c021dc676fe539

SHA512
ad204ec30e3e2c889555a87954a21d0b15aecdde13c30c9db53201e8278e5e1c35c2d39fe43a8bdc0dbea05475772f26f914d280f1d3e34cea974ba2add25dbe

Download Submit
memory/432-0-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/432-9-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2136-7-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2512-5-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2512-11-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download