4654f3af174704f171088ad84b287e44795da6c53b91e2ffe6365a8adcda3182

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 20:14

Target

432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
Size

411KB
MD5

432e21215f94982e7585a95f5aa9c30d
SHA1

746b44612a503a14cc6407053b2652895965d2b4
SHA256

4654f3af174704f171088ad84b287e44795da6c53b91e2ffe6365a8adcda3182
SHA512

8dfb4d51d7587384ec021a6a5ba4939cf91b89229a9d42b1fde13bcbf24a87e4e8ddfaaefc701dbdac8b6f76d769a8300612d1ac3609dfd8eea5afcbe45f67ec
SSDEEP

12288:rGO5BvJnxdK0wRVrJH2WHwK9MKcerbndOU0DSxEagJ:XPJOpRph5HFZcCb02V2

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2980	pzpB6C1.tmp
2928	HTTP.db

Loads dropped DLL 2 IoCs

pid	Process
2776	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
2776	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 2920	2928	HTTP.db	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\HTTP.db	pzpB6C1.tmp
File created	C:\Program Files (x86)\Internet Explorer\HTTP.db	pzpB6C1.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	pzpB6C1.tmp

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2776	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	pzpB6C1.tmp
Token: SeDebugPrivilege	2928	HTTP.db

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2980	2776	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2980	2776	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2980	2776	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2980	2776	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2976	2980	pzpB6C1.tmp	33
PID 2980 wrote to memory of 2976	2980	pzpB6C1.tmp	33
PID 2980 wrote to memory of 2976	2980	pzpB6C1.tmp	33
PID 2980 wrote to memory of 2976	2980	pzpB6C1.tmp	33
PID 2980 wrote to memory of 2976	2980	pzpB6C1.tmp	33
PID 2980 wrote to memory of 2976	2980	pzpB6C1.tmp	33
PID 2980 wrote to memory of 2976	2980	pzpB6C1.tmp	33
PID 2928 wrote to memory of 2920	2928	HTTP.db	32
PID 2928 wrote to memory of 2920	2928	HTTP.db	32
PID 2928 wrote to memory of 2920	2928	HTTP.db	32
PID 2928 wrote to memory of 2920	2928	HTTP.db	32
PID 2928 wrote to memory of 2920	2928	HTTP.db	32
PID 2928 wrote to memory of 2920	2928	HTTP.db	32

C:\Program Files (x86)\Internet Explorer\HTTP.db
"C:\Program Files (x86)\Internet Explorer\HTTP.db"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\WiNdOWs\SysWOW64\svCHost.exe
  C:\WiNdOWs\sYstEm32\svCHost.exe................
  2⤵
  PID:2920

C:\Windows\uninstal.bat

Filesize
140B

MD5
0a10776f87677bbf7cda3234e29574cf

SHA1
58bf303968534696fa204f094d9e69520aefd96d

SHA256
b849f5b4ef965ccf77a2fe94f1196f0362f6d2d5c66b4dd8232276ff04da57e6

SHA512
c8258b4f427af33d6c55649da2da553e4c1213ef9945a2d54051e4c397d25bc31ac9288d609db3e2a6412ccd699319173a452dcf4bb48dbf83b62e399f8d8600

Download Submit
\Users\Admin\AppData\Local\Temp\pzpB6C1.tmp

Filesize
743KB

MD5
19d99745166de14cf598192aa3beaee3

SHA1
a1c46c0cfd35597a04dde3c192c290a4dfad1623

SHA256
4102054a7ad1a02e489dec512838a469e0c584be9142f6d3a27fad6a7e6be728

SHA512
64cf15025e66db4a98ec22e7660fa44580a48fcc12f436cca358e92a4fe76bf4a410f6acd16b2973aad1d96fc6ea8bf5aba7eb5ccf92be5d2eade8cf0468e122

Download Submit
memory/2776-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2920-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-29-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2920-27-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2928-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2928-34-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2980-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2980-30-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download