697b24d18e37bff5e70fec288b2d530cbae54af2a9de845a189745b317ef9c0f

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 15:36

Target

3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
Size

248KB
MD5

3df4a473712e6bb58fd5a9852eb5d77d
SHA1

1ed60dda775d1ef863b41b1f066bf226b4a69b4c
SHA256

697b24d18e37bff5e70fec288b2d530cbae54af2a9de845a189745b317ef9c0f
SHA512

beb9f2f742a63769e2ef4e11af81ef66752668b34543aeae743809e10b113001d18630ffb608000d193e8b9e250294d3d30b9a52ce5d0e70ceb892503c0d94a5
SSDEEP

3072:tVi+tn8dimzJkGGIqH7cDpNi6ehSyiHGO9DuFXWMocft9x:tIdV+wNNSSHHGO9Du1WM/

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1144	Garss.exe

Loads dropped DLL 1 IoCs

pid	Process
1144	Garss.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Garss.exe	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
File created	C:\Program Files\Garss.exe	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5028	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 1144	4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe	86
PID 4080 wrote to memory of 1144	4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe	86
PID 4080 wrote to memory of 1144	4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe	86
PID 4080 wrote to memory of 5028	4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe	89
PID 4080 wrote to memory of 5028	4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe	89
PID 4080 wrote to memory of 5028	4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe	89
PID 4080 wrote to memory of 4920	4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe	90
PID 4080 wrote to memory of 4920	4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe	90
PID 4080 wrote to memory of 4920	4080	3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Program Files\Garss.exe
  "C:\Program Files\Garss.exe" "C:\Documents and Settings\QQCRT.DLL" Main
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1144
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\1.reg
  2⤵
  - Runs .reg file with regedit
  PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3DF4A4~1.EXE > nul
  2⤵
  PID:4920

C:\1.reg

Filesize
904B

MD5
54d0f79ab0efd0617c1269c844d25370

SHA1
9d3272901c5a555f00e08452fe98fab50ad7d0e8

SHA256
0aaf709fc2baf645bfe47bc5041ff9b9e396fba5d16ceff8513dc15cf25d3335

SHA512
b109f31ec8c55baf4e1b8452f57831f72dc535c431e32dd021b276896e581f46b6c6642811dd70bff68ded67f348415c71346c61a6225ecececa9f1f597e5dc8

Download Submit
C:\Documents and Settings\QQCRT.DLL

Filesize
21.1MB

MD5
c8f1c4c69fdaa6f178e097596749b11e

SHA1
8f44173e9c232bf1e5caa53e745a803410fb646c

SHA256
baf2a2b8637f3fcd3631cc471f9334e8fcd55b73386ee9de037fb2cd82da6cce

SHA512
e743227d65eccfac35515aa246be852ae9ab39f6f037c784febbb1ba3774d0ad87b39810c9586e6a6426dd7a614e223ffaced02ff055b2714741b1a2302f81f6

Download Submit
C:\Program Files\Garss.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit