492509f3d645e20877a1b69551d25ce99004e857857f836f11d5d7669740c03c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 11:27

Target

459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
Size

76KB
MD5

459cde6e25bcf5afff6bdf88d66c02ed
SHA1

775ed249c0b94f397551b347ea3c3bf681e918f9
SHA256

492509f3d645e20877a1b69551d25ce99004e857857f836f11d5d7669740c03c
SHA512

9e108ae11af75cf43278320d4f768e2ef5ba9320c785b3d3597ff4280d695363c46440b9aec35a6145d72cb4cd22a69416de9c76eb01a274a0cbb91c57e086a3
SSDEEP

1536:swpW9UaDLSvuQUE6UdYwiSSgOkflWWZNp3+aq7z:VW9UaDuvlwU2KSgrcW3rq7z

Score

1^/10

Kills process with taskkill 1 IoCs

evasion

pid	Process
620	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 112	2984	459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe	31
PID 2984 wrote to memory of 112	2984	459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe	31
PID 2984 wrote to memory of 112	2984	459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe	31
PID 2984 wrote to memory of 112	2984	459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe	31
PID 112 wrote to memory of 620	112	cmd.exe	33
PID 112 wrote to memory of 620	112	cmd.exe	33
PID 112 wrote to memory of 620	112	cmd.exe	33
PID 112 wrote to memory of 620	112	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt13285.bat "C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im reseau.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:620

C:\Users\Admin\AppData\Local\Temp\bt13285.bat

Filesize
476B

MD5
8673d3d51593a4995652e962a67d58a4

SHA1
697177b467677b549b8b1bb1578db8100e8e6c40

SHA256
7b89a4b26ae938579df6deb3ee647da318ebc9a22d1bcc80a8a01a6ccb9cced1

SHA512
5b551feb018181d506dde50ebc638ea569a6d4135ddfdbd133f173f7ca3e99126c5e84c7050ac99279e986a716c46f2ddbed4565dce6757a66b2cd4570d0e27a

Download Submit
memory/2984-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download