fb24c6ae5ebb220151dbf3c5ae091d8b1ef422363112432175c0e4dd69880522

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 14:09

Target

3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe
Size

8KB
MD5

3db1586334834c3ea295bc9295af417d
SHA1

b10662d4b7bbba1230c0e794c99455d6683c56c3
SHA256

fb24c6ae5ebb220151dbf3c5ae091d8b1ef422363112432175c0e4dd69880522
SHA512

6a008c572d28354bde2abf1d50153f6fb073f8bd1edf539f8fabbddc118a84bfa2c7272f9740c6d063351f8b6468ee63ca71071455b606557bfb9f992e1db20d
SSDEEP

192:wqTRHXb92s3HNfN2jRYcV2HYpSIm8phrqli+XpVg0uMQpap:wqTBbxXJo1xV2H8zrrGiTMgY

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
3020	3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mhdoor0.dll	3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mhdoor0.dll	3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3422FB0F-458A-8B56-95EB-39552017A4EF}\daSobjEventName = "YUTDFGHKHCOOLMH_0"	3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3422FB0F-458A-8B56-95EB-39552017A4EF}	3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3422FB0F-458A-8B56-95EB-39552017A4EF}\daExeModuleName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe"	3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3422FB0F-458A-8B56-95EB-39552017A4EF}\daDllModuleName = "C:\\Windows\\SysWow64\\mhdoor0.dll"	3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 3460	3020	3db1586334834c3ea295bc9295af417d_JaffaCakes118.exe	56

C:\Windows\SysWOW64\mhdoor0.dll

Filesize
13KB

MD5
8466895bcaf032b47ff15a34b713c9b5

SHA1
a4854f89978b87a15c5020d44745eeff5bc56119

SHA256
1601a9f645deccf0a6a3627ef3bc51778051ff9f14774aced05a9a512f2df86e

SHA512
72ff7ccfdf59a28895309ba005c448339fd9ab617f625c5032c4b60147c2e650b835496a02538abdb6ba4b77c0b44cb88a18f72946c81c691162d78a6fbf9c26

Download Submit
memory/3020-5-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/3020-6-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download