e67096bf037d0a9080f3f7f0f3c64b819ceb47cd5e23abbb206003775b73c15e

Analysis

max time kernel
122s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 02:40

Target

47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe
Size

42KB
MD5

47defadd8f3bc445ed1317fee089575a
SHA1

b0bf4dfbdaedd19bcf64846b7cd53d9f0c38620f
SHA256

e67096bf037d0a9080f3f7f0f3c64b819ceb47cd5e23abbb206003775b73c15e
SHA512

4076c3b43c1bcc1b6049d1b7273173932ea31a3e9766f1d6dbcb231c6991edd3c1dc85075c07e733d901184bb75f413f1df332f7555c86e908d3366fa9c2e307
SSDEEP

768:8mIWbA8z53OTPiuADKZ3qHI3KxezNIuXY4BcRKNZ2o:8mrUq53yUK8o4ezN5Y4Bek2

Score

8^/10

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\rsdt.sys	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 3 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2764	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 3348	2764	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	83
PID 2764 wrote to memory of 3348	2764	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	83
PID 2764 wrote to memory of 3348	2764	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	83
PID 2984 wrote to memory of 3956	2984	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	86
PID 2984 wrote to memory of 3956	2984	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	86
PID 2984 wrote to memory of 3956	2984	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	86
PID 2764 wrote to memory of 5004	2764	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	87
PID 2764 wrote to memory of 5004	2764	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	87
PID 2764 wrote to memory of 5004	2764	47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c date 1949-10-1
  2⤵
  PID:3348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\47DEFA~1.EXE > nul
  2⤵
  PID:5004

C:\Windows\SysWOW64\47defadd8f3bc445ed1317fee089575a_JaffaCakes118.exe

Filesize
42KB

MD5
47defadd8f3bc445ed1317fee089575a

SHA1
b0bf4dfbdaedd19bcf64846b7cd53d9f0c38620f

SHA256
e67096bf037d0a9080f3f7f0f3c64b819ceb47cd5e23abbb206003775b73c15e

SHA512
4076c3b43c1bcc1b6049d1b7273173932ea31a3e9766f1d6dbcb231c6991edd3c1dc85075c07e733d901184bb75f413f1df332f7555c86e908d3366fa9c2e307

Download Submit