3f959fb0796d9917dafffcb370553d77eff1558e4dcea6d8ce467f1c9ca69c8b

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 04:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe
Size

301KB
MD5

403ab16020ad6eeac14cfd84c6424535
SHA1

be4c953251437f80b1838923618cad90c58f704f
SHA256

3f959fb0796d9917dafffcb370553d77eff1558e4dcea6d8ce467f1c9ca69c8b
SHA512

3a10f95943cf0a61a5ae593b7de2aa5478e502e9e527fda3c8014c1e8906545be949122f159a1f36b8741f4369957046b3d1254c621248df9165a401531df666
SSDEEP

6144:WLQYrb2e3cAJOtxCwRnilyg7QU4grJqoyUjtfKyZFWzNf8LOIYVg9xTT7FLR:LpelJYxCZyg0U4g1lnjtC7zFy1Wgn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ime\JERTHI.DAT	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ime\svchost.exe	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ime\svchost.exe	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ime\JERTHI.DAT	svchost.exe
File created	C:\Windows\SysWOW64\ime\YKOXKG.DAT	svchost.exe
File opened for modification	C:\Windows\SysWOW64\ime\svchost.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe
Token: SeDebugPrivilege	2716	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2760	1412	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe	32
PID 1412 wrote to memory of 2760	1412	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe	32
PID 1412 wrote to memory of 2760	1412	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe	32
PID 1412 wrote to memory of 2760	1412	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe	32
PID 1412 wrote to memory of 2760	1412	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe	32
PID 1412 wrote to memory of 2760	1412	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe	32
PID 1412 wrote to memory of 2760	1412	403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\403ab16020ad6eeac14cfd84c6424535_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2760

C:\Windows\SysWOW64\ime\svchost.exe
C:\Windows\SysWOW64\ime\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\IME\svchost.exe

Filesize
301KB

MD5
403ab16020ad6eeac14cfd84c6424535

SHA1
be4c953251437f80b1838923618cad90c58f704f

SHA256
3f959fb0796d9917dafffcb370553d77eff1558e4dcea6d8ce467f1c9ca69c8b

SHA512
3a10f95943cf0a61a5ae593b7de2aa5478e502e9e527fda3c8014c1e8906545be949122f159a1f36b8741f4369957046b3d1254c621248df9165a401531df666

Download Submit
C:\Windows\SysWOW64\ime\JERTHI.DAT

Filesize
51KB

MD5
c3cba7e9f319eb39ddbcd4284af95c4b

SHA1
adeab858d9b6f55d01feba9c641a30b37397cb9e

SHA256
99af192ff86b4be307995fb52ebac09e7e92d562c4d13c27464632a28a2b5443

SHA512
94b2f89c802ffb48cb73b47ee55e9e4336a1bd2815d25569e555bbc0d933d261d3aaa2b765c68c1a9bdf143eb57a7a8533e370fee0e80917e743ccb8255d8c5b

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
868f3f8dd87c4d1a0457e3ee50722481

SHA1
6dc6a1c8a410f4842dc09371aae44bc57585d850

SHA256
25dc39695ebd28645c29516473d8e83b45bc1ca5eff6c3fa17642a37b5a87924

SHA512
47947598deea0b31e65ac599bf201dc65d9212bb0456ee191e8ac5ff58b3f598bba72730fad22be5f42ef77c507d2404deb22d43d1f32417c788ab69203f388c

Download Submit
memory/1412-0-0x0000000000400000-0x0000000000521208-memory.dmp

Filesize
1.1MB

Download
memory/1412-1-0x0000000000250000-0x0000000000254000-memory.dmp

Filesize
16KB

Download
memory/1412-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1412-20-0x0000000000400000-0x0000000000521208-memory.dmp

Filesize
1.1MB

Download
memory/2716-7-0x0000000000400000-0x0000000000521208-memory.dmp

Filesize
1.1MB

Download
memory/2716-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2716-12-0x0000000000400000-0x0000000000521208-memory.dmp

Filesize
1.1MB

Download