22ab05aacaef5a9dd59967863f58d8b0f11592cb214270c57e6ce4ad4953bbf1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 16:05

Target

4263984cb2dacebe0d9539c4878e0ad9_JaffaCakes118.exe
Size

27KB
MD5

4263984cb2dacebe0d9539c4878e0ad9
SHA1

990e4dca669b96545e5c79e74edf0000fb6fbe8e
SHA256

22ab05aacaef5a9dd59967863f58d8b0f11592cb214270c57e6ce4ad4953bbf1
SHA512

d185dd24674d729b15fb9bf50dc4af9628fca521072421ba2a755940d69013c592e7d0f292d120d6fed256ef0e04f2d9609547bf83b2849be7f165b051c94526
SSDEEP

384:eDESfhzc54pMMVOgOhxLjAc/NlhBMqY/xDkiSSJb6wNbRW3G0Es++dXKoEi2zA6y:eD3zc5NgYZAc/NW9pNWXVtlDCA6

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1452	server15.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2468-0-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/files/0x00090000000234c5-3.dat	upx
behavioral2/memory/1452-5-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2468-7-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1452-8-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\server15.exe	4263984cb2dacebe0d9539c4878e0ad9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\server15.exe	4263984cb2dacebe0d9539c4878e0ad9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2468	4263984cb2dacebe0d9539c4878e0ad9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3172	2468	4263984cb2dacebe0d9539c4878e0ad9_JaffaCakes118.exe	84
PID 2468 wrote to memory of 3172	2468	4263984cb2dacebe0d9539c4878e0ad9_JaffaCakes118.exe	84
PID 2468 wrote to memory of 3172	2468	4263984cb2dacebe0d9539c4878e0ad9_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\4263984cb2dacebe0d9539c4878e0ad9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4263984cb2dacebe0d9539c4878e0ad9_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\426398~1.EXE > nul
  2⤵
  PID:3172

C:\Windows\SysWOW64\server15.exe
C:\Windows\SysWOW64\server15.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\SysWOW64\server15.exe

Filesize
27KB

MD5
4263984cb2dacebe0d9539c4878e0ad9

SHA1
990e4dca669b96545e5c79e74edf0000fb6fbe8e

SHA256
22ab05aacaef5a9dd59967863f58d8b0f11592cb214270c57e6ce4ad4953bbf1

SHA512
d185dd24674d729b15fb9bf50dc4af9628fca521072421ba2a755940d69013c592e7d0f292d120d6fed256ef0e04f2d9609547bf83b2849be7f165b051c94526

Download Submit
memory/1452-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download