c702ffd5f0abd3c624a68212fcc3f6b269c57a7032b17908a0c6f85a3c71cb7f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 20:11

Target

432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe
Size

711KB
MD5

432bb2e967e63a9e81fbb18e3fdf4fea
SHA1

fe2f329bcf2523b7a38c5a8477c78ade8f28b517
SHA256

c702ffd5f0abd3c624a68212fcc3f6b269c57a7032b17908a0c6f85a3c71cb7f
SHA512

88361069a769862cfe48b38628ebf2f634c73819d20b8fc2ed15e47e442cbf45e54e25573248218aa1f3a64f83407e57c0f86c50f84a39fc5a7b6cc9c1b960b1
SSDEEP

12288:FMViJAFvKqrhxrVsVpp7gx6v6XzD/Dgg6P7EBf8tsMm9nAO3BT5UyFLr:SiKFv5jsHp7iXzDaP7+6O3B9F3

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2352	servers.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 2388	2352	servers.exe	32

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\servers.exe	432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe
File opened for modification	C:\Windows\servers.exe	432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe
Token: SeDebugPrivilege	2352	servers.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2388	2352	servers.exe	32
PID 2352 wrote to memory of 2388	2352	servers.exe	32
PID 2352 wrote to memory of 2388	2352	servers.exe	32
PID 2352 wrote to memory of 2388	2352	servers.exe	32
PID 2352 wrote to memory of 2388	2352	servers.exe	32
PID 2352 wrote to memory of 2388	2352	servers.exe	32

C:\Windows\servers.exe
C:\Windows\servers.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:2388

C:\Windows\servers.exe

Filesize
711KB

MD5
432bb2e967e63a9e81fbb18e3fdf4fea

SHA1
fe2f329bcf2523b7a38c5a8477c78ade8f28b517

SHA256
c702ffd5f0abd3c624a68212fcc3f6b269c57a7032b17908a0c6f85a3c71cb7f

SHA512
88361069a769862cfe48b38628ebf2f634c73819d20b8fc2ed15e47e442cbf45e54e25573248218aa1f3a64f83407e57c0f86c50f84a39fc5a7b6cc9c1b960b1

Download Submit
memory/2352-5-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2352-6-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2352-14-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2388-11-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2388-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2388-13-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2724-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2724-3-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2724-8-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download