636f7f4de52f1f1688988661dbced1e8f5c311fb981fa40439627cf1a451dca2

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 07:21

Target

40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe
Size

304KB
MD5

40b69dd3c676f456ed9b34a5ad63fac9
SHA1

054c70b1dc8b1ab2dfa8b210193224172c576ea3
SHA256

636f7f4de52f1f1688988661dbced1e8f5c311fb981fa40439627cf1a451dca2
SHA512

85b9814d50acf0557d70c6f31ad060c35a7c733f4f8a171536bcd23815020b996c89a5f6abeb12956d93e3c422b63b68c44920de86ce8e308fa7aca3435f8166
SSDEEP

6144:6K5f2kaSemapKd4gFoQcySrVNWn0CAypTU77ev7wdbnr7BvxXxboZUVNV:hd2lSefpsxqn3rVHBy+qy3BphbvVD

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2260	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\tasks\svchost.exe	40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe
File opened for modification	C:\Windows\tasks\svchost.exe	40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe
File created	C:\Windows\004A0AAF.BAT	40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe
Token: SeDebugPrivilege	2260	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2260	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2640	2356	40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2640	2356	40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2640	2356	40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2640	2356	40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\004A0AAF.BAT
  2⤵
  - Deletes itself
  PID:2640

C:\Windows\004A0AAF.BAT

Filesize
218B

MD5
fe775196282138480a2d0dc970a4a9e5

SHA1
19a37c54ac243c7f6b9e4a5a8d1064b4b6939346

SHA256
0c7825d53c5b514fd3e378afd61b4c9e0c7762ac49705e34be9ff8b9b5dd96b9

SHA512
d534ae40dd1af9fd7382e981a1a4b276cba4655d0625f3d46b9fedd1da0572c622b8de37abc9fc10d3ca61116bf6ec1e46630efc615ff6747c800d33df3357b7

Download Submit
C:\Windows\Tasks\svchost.exe

Filesize
304KB

MD5
40b69dd3c676f456ed9b34a5ad63fac9

SHA1
054c70b1dc8b1ab2dfa8b210193224172c576ea3

SHA256
636f7f4de52f1f1688988661dbced1e8f5c311fb981fa40439627cf1a451dca2

SHA512
85b9814d50acf0557d70c6f31ad060c35a7c733f4f8a171536bcd23815020b996c89a5f6abeb12956d93e3c422b63b68c44920de86ce8e308fa7aca3435f8166

Download Submit
memory/2260-7-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2260-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2260-22-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2260-24-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2356-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2356-1-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2356-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2356-19-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download