dc3ead569b5db362822f70aed44ff9b280dea7e0d859f2904b31a7fb9ed64e45

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 04:47

Target

3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe
Size

66KB
MD5

3c07238fb7536ee9a10f6c653ec83226
SHA1

f2e297e21a4eceeba997b2dc2489def5b2e1af4d
SHA256

dc3ead569b5db362822f70aed44ff9b280dea7e0d859f2904b31a7fb9ed64e45
SHA512

934ed4bc0c64a2ea529fc44c09ef90124af15c37b22c4f4fb4f3fc8d4bb5f3ce981defd05b266e3aa3d928c57f6afa56ca70b39cde25cbe1c8677b9ba082e575
SSDEEP

1536:+1+GA2ok4xmlKRUXq2qN9y0CtwKeCF1zQ/b3jtbNoXP1XvrVrfw:+1+GVok8WXq2s9yptfyTBbiFJ7

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Systen.dll	3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Systen.dll	3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\259463265.dll	3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe
File created	C:\Windows\259463390.bat	3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2852	3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 432	2852	3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe	5
PID 2852 wrote to memory of 2760	2852	3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2760	2852	3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2760	2852	3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2760	2852	3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c07238fb7536ee9a10f6c653ec83226_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\259463390.bat
  2⤵
  - Deletes itself
  PID:2760

C:\Windows\259463390.bat

Filesize
219B

MD5
0a9b0a1e304410e28a064bdc7fb09acb

SHA1
cbbb6ad2fb51c095acacb2f9bff7295f35256d0a

SHA256
97fcaf6bf02b42cfcf29ebabb99626dff86a76fd3fdd688b64c7b086443a7d80

SHA512
80edb9bb48c591b20ee8c1fd0e902b075105e3a6769cde4fafcaad65c2141da54b3aa85028e1e66656ec0af4e0c8802d113b13cd0a4eaefae221af998ea089ae

Download Submit
C:\Windows\SysWOW64\Systen.dll

Filesize
53KB

MD5
7d66a217c027eb1381aeeaa748244779

SHA1
acfd3c6446dd32b9620e4e6f6a4d71140a4cc2a6

SHA256
fdf9607d09e4ac4a26589067780666f3e99bd4cc07ab892ef5efe15fa88b698c

SHA512
5a50f497a69a9c9a36df813a3c70019ca55278b52ba7a6ca1970cba4db21e51ed6feb0a382133d03462b9b0f6b7df6625c6b890e9c45dd5dbc0d047ca1810a08

Download Submit
memory/432-8-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/2852-2-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2852-4-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2852-3-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2852-16-0x0000000000010000-0x0000000000028000-memory.dmp

Filesize
96KB

Download
memory/2852-18-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download