4bcb2a5d99297b30f8ff00e08cf7330d5e2f69fc602bb317bf8e9f703a137a99

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 11:11

Target

416db420e781c709bb71acee0b79282f_JaffaCakes118.exe
Size

557KB
MD5

416db420e781c709bb71acee0b79282f
SHA1

bdd2bae83c3bab9ba0c199492fe57e70c6425dd3
SHA256

4bcb2a5d99297b30f8ff00e08cf7330d5e2f69fc602bb317bf8e9f703a137a99
SHA512

31a229abfc2e7039db7e5bb8510cdd89b0ef4d2ea1e22293cb9cc26a4f73ac07dd2456e0b0ac30000d43f20b87c4abdd53fdb7556912da66824406e98347df5e
SSDEEP

12288:6cdkVE1wqnLHHP1W0Tilcyy3VLk3BWpC/c3fvYQuObIk:XOXqLHHNWy3VLk31k3fA

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3636	atiapfxx.exe

Loads dropped DLL 1 IoCs

pid	Process
3636	atiapfxx.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3456	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3456	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3040	2008	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	85
PID 2008 wrote to memory of 3040	2008	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	85
PID 2008 wrote to memory of 3040	2008	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	85
PID 2008 wrote to memory of 2516	2008	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	93
PID 2008 wrote to memory of 2516	2008	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	93
PID 2008 wrote to memory of 2516	2008	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	93
PID 2008 wrote to memory of 3636	2008	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	95
PID 2008 wrote to memory of 3636	2008	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	95
PID 2008 wrote to memory of 3636	2008	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	95
PID 3636 wrote to memory of 3460	3636	atiapfxx.exe	96
PID 3636 wrote to memory of 3460	3636	atiapfxx.exe	96
PID 3636 wrote to memory of 3460	3636	atiapfxx.exe	96
PID 3460 wrote to memory of 3456	3460	cmd.exe	98
PID 3460 wrote to memory of 3456	3460	cmd.exe	98
PID 3460 wrote to memory of 3456	3460	cmd.exe	98
PID 3636 wrote to memory of 216	3636	atiapfxx.exe	100
PID 3636 wrote to memory of 216	3636	atiapfxx.exe	100
PID 3636 wrote to memory of 216	3636	atiapfxx.exe	100

C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  /c time /T
  2⤵
  PID:3040
- C:\Windows\SysWOW64\cmd.exe
  /c time /T
  2⤵
  PID:2516
- C:\Users\Admin\AppData\Roaming\ATI\atiapfxx.exe
  C:\Users\Admin\AppData\Roaming\ATI\atiapfxx.exe C:\Users\Admin\AppData\Roaming\ATI\atisamu32.dll, ADL2_Display_Regamma_Set pid=2008 "C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    /Q /C TASKKILL /F /PID 2008 > NUL & DEL /F /Q C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /PID 2008
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    /c time /T
    3⤵
    PID:216

C:\Users\Admin\AppData\Roaming\ATI\atiapfxx.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Users\Admin\AppData\Roaming\ATI\atisamu32.dll

Filesize
812KB

MD5
da311c2005e7580c662d1911dbee49c0

SHA1
26d030c93c517d63147f502bf6536c3914698821

SHA256
cd7ec70cbd88620acc499cee175309c87f0f4d2de5bbc99fd525c62cc25441d5

SHA512
06adf8403bdb1fb434af028ea594cc7d53f38bad9d393966553656a630ec9f5e67163a531cd317e1f9c9ecff88343dd4e590ee1241bf098a418b7cdaa79d4bbd

Download Submit
C:\Users\Admin\AppData\Roaming\ATI\racss.dat

Filesize
5KB

MD5
d1440f0f6ded17896b0cf85e87915d65

SHA1
3b297f0ca7750c0c74e5f931fec1528fe1ba6bc9

SHA256
1c14172ed934e77fea0e0ea435c3a736fad22df4aadba679b9f7523e24cfad86

SHA512
3c3b78afd859014dc62328be401a5e4637bb600a5ae7c385523d175f4e019fba20e471d6b21242cee6fe537810074e19b2ace5a8bd106d8787c163362de48172

Download Submit