356356040f0850885429cd2f8c95488416ead2cbb824ddec4548791574d06f51

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 00:34

Target

3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe
Size

43KB
MD5

3b55741f5f7c23175c9e74021172c08d
SHA1

b96bed86e6ad42bcc4b856bcac4a514d6c665dd4
SHA256

356356040f0850885429cd2f8c95488416ead2cbb824ddec4548791574d06f51
SHA512

29b6c2902aeedd9e9c30c524f1f6ef3d7f3d222992ae24b9a495bec33c107a0cfa36b367a42f6f53b60292da2c48cc211a6d42edf2477ed31043436cc2614190
SSDEEP

768:uMoFJl5/ija+1Im1+B3HTe71vuRWIbwacYD9kFF4X4J4imqq/uuHtI:VoFJy+5HTe71vusIkrY24oJ40yuuNI

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2148	SysDlMu.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2148-11-0x0000000000360000-0x0000000000374000-memory.dmp	upx
behavioral1/memory/2148-20-0x0000000000360000-0x0000000000374000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\NTDLMu.DLL	SysDlMu.exe
File opened for modification	C:\Windows\SysDlMu.exe	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe
File created	C:\Windows\SysDlMu.exe	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe
File opened for modification	C:\Windows\NTDLMu.DLL	SysDlMu.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2148	SysDlMu.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2148	2264	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	29
PID 2264 wrote to memory of 2148	2264	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	29
PID 2264 wrote to memory of 2148	2264	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	29
PID 2264 wrote to memory of 2148	2264	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	29
PID 2264 wrote to memory of 2776	2264	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	30
PID 2264 wrote to memory of 2776	2264	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	30
PID 2264 wrote to memory of 2776	2264	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	30
PID 2264 wrote to memory of 2776	2264	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysDlMu.exe
  C:\Windows\SysDlMu.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Deleteme.bat
  2⤵
  - Deletes itself
  PID:2776

C:\Users\Admin\AppData\Local\Temp\Deleteme.bat

Filesize
212B

MD5
2c18c1fb43011743f4b1c9cee2d882a5

SHA1
45432a2a61c087a7091343ceb5a6995003849013

SHA256
2727a431aad943d8ebcc1e41356fee223d66d14b6467b0f1614307f5742dd7c8

SHA512
d253b2c55197adef2d7a9d40ae97f3e87bb97112f339226cded0d897db484aa3619138488bdfeefd7f66fc5644b4b96af485a4bb8829ac528502a7ef479b9587

Download Submit
C:\Windows\SysDlMu.exe

Filesize
43KB

MD5
3b55741f5f7c23175c9e74021172c08d

SHA1
b96bed86e6ad42bcc4b856bcac4a514d6c665dd4

SHA256
356356040f0850885429cd2f8c95488416ead2cbb824ddec4548791574d06f51

SHA512
29b6c2902aeedd9e9c30c524f1f6ef3d7f3d222992ae24b9a495bec33c107a0cfa36b367a42f6f53b60292da2c48cc211a6d42edf2477ed31043436cc2614190

Download Submit
memory/2148-11-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/2148-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2148-20-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/2264-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download