4654f3af174704f171088ad84b287e44795da6c53b91e2ffe6365a8adcda3182

Analysis

max time kernel
95s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
Size

411KB
MD5

432e21215f94982e7585a95f5aa9c30d
SHA1

746b44612a503a14cc6407053b2652895965d2b4
SHA256

4654f3af174704f171088ad84b287e44795da6c53b91e2ffe6365a8adcda3182
SHA512

8dfb4d51d7587384ec021a6a5ba4939cf91b89229a9d42b1fde13bcbf24a87e4e8ddfaaefc701dbdac8b6f76d769a8300612d1ac3609dfd8eea5afcbe45f67ec
SSDEEP

12288:rGO5BvJnxdK0wRVrJH2WHwK9MKcerbndOU0DSxEagJ:XPJOpRph5HFZcCb02V2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4492	pzpE4A9.tmp
3140	HTTP.db

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3140 set thread context of 4788	3140	HTTP.db	88

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\HTTP.db	pzpE4A9.tmp
File opened for modification	C:\Program Files (x86)\Internet Explorer\HTTP.db	pzpE4A9.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	pzpE4A9.tmp

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2388	4788	WerFault.exe	88
4820	4672	WerFault.exe	83
1788	4672	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	pzpE4A9.tmp
Token: SeDebugPrivilege	3140	HTTP.db

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4492	4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe	85
PID 4672 wrote to memory of 4492	4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe	85
PID 4672 wrote to memory of 4492	4672	432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe	85
PID 3140 wrote to memory of 4788	3140	HTTP.db	88
PID 3140 wrote to memory of 4788	3140	HTTP.db	88
PID 3140 wrote to memory of 4788	3140	HTTP.db	88
PID 3140 wrote to memory of 4788	3140	HTTP.db	88
PID 3140 wrote to memory of 4788	3140	HTTP.db	88
PID 4492 wrote to memory of 2488	4492	pzpE4A9.tmp	92
PID 4492 wrote to memory of 2488	4492	pzpE4A9.tmp	92
PID 4492 wrote to memory of 2488	4492	pzpE4A9.tmp	92

C:\Users\Admin\AppData\Local\Temp\432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\pzpE4A9.tmp
  "C:\Users\Admin\AppData\Local\Temp\pzpE4A9.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:2488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 304
  2⤵
  - Program crash
  PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 320
  2⤵
  - Program crash
  PID:1788

C:\Program Files (x86)\Internet Explorer\HTTP.db
"C:\Program Files (x86)\Internet Explorer\HTTP.db"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\WiNdOWs\SysWOW64\svCHost.exe
  C:\WiNdOWs\sYstEm32\svCHost.exe................
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 12
    3⤵
    - Program crash
    PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4788 -ip 4788
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4672 -ip 4672
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4672 -ip 4672
1⤵
PID:1484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pzpE4A9.tmp

Filesize
743KB

MD5
19d99745166de14cf598192aa3beaee3

SHA1
a1c46c0cfd35597a04dde3c192c290a4dfad1623

SHA256
4102054a7ad1a02e489dec512838a469e0c584be9142f6d3a27fad6a7e6be728

SHA512
64cf15025e66db4a98ec22e7660fa44580a48fcc12f436cca358e92a4fe76bf4a410f6acd16b2973aad1d96fc6ea8bf5aba7eb5ccf92be5d2eade8cf0468e122

Download Submit
C:\Windows\uninstal.bat

Filesize
140B

MD5
feb9e5b2e4c307bfe6ba7f1b947a611f

SHA1
44e18a64b49f9a399cf263009f9323836eff2f90

SHA256
4738563e88a58ca94dd7399a0e3dc1b5dacceb7d82bc69390d0aead098f51db2

SHA512
3d9d28fb279e052d1955ec8d42af5612fcd10cfa6b963d4ac1b5096d261460179f8377104cf814be24abab9be9c53eb0a9944ea1f7d3fd38860597dd7592a8af

Download Submit
memory/3140-10-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3140-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4492-5-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4492-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4672-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4788-11-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download