0d656ed42a443817e8cf10e04c5fbdf86674555828e159576c796df42d3ebdc3

Analysis

max time kernel
143s
max time network
139s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe
Size

347KB
MD5

4970cc4a5ca67fcc055b968376296828
SHA1

ec370477421a5b99468cab0facb6ba293a2429d7
SHA256

0d656ed42a443817e8cf10e04c5fbdf86674555828e159576c796df42d3ebdc3
SHA512

c5800b1e88db4e7dd8522bb2ac801343d9d6451ef3afb6bc7d1489773e752c7138829cc6d53b735850b061dec42365e77c1ca3eb3898472211ac2d0c1bcc22bc
SSDEEP

6144:GulRMmhAReljb2QE5sKfBse2T2DVUgeNtzvE6g1VHeqgImGtUldVf360:GERMujEvBsfb3IeXZtlHK0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2188	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1336	bookly

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\bookly	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe
File opened for modification	C:\Windows\bookly	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe
Token: SeDebugPrivilege	1336	bookly

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1336	bookly

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2632	1336	bookly	30
PID 1336 wrote to memory of 2632	1336	bookly	30
PID 1336 wrote to memory of 2632	1336	bookly	30
PID 1336 wrote to memory of 2632	1336	bookly	30
PID 2472 wrote to memory of 2188	2472	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe	31
PID 2472 wrote to memory of 2188	2472	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe	31
PID 2472 wrote to memory of 2188	2472	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe	31
PID 2472 wrote to memory of 2188	2472	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe	31
PID 2472 wrote to memory of 2188	2472	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe	31
PID 2472 wrote to memory of 2188	2472	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe	31
PID 2472 wrote to memory of 2188	2472	4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4970cc4a5ca67fcc055b968376296828_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2188

C:\Windows\bookly
C:\Windows\bookly
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bookly

Filesize
347KB

MD5
4970cc4a5ca67fcc055b968376296828

SHA1
ec370477421a5b99468cab0facb6ba293a2429d7

SHA256
0d656ed42a443817e8cf10e04c5fbdf86674555828e159576c796df42d3ebdc3

SHA512
c5800b1e88db4e7dd8522bb2ac801343d9d6451ef3afb6bc7d1489773e752c7138829cc6d53b735850b061dec42365e77c1ca3eb3898472211ac2d0c1bcc22bc

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
db65bab731c7102a317ece0c88b4fe8d

SHA1
88483058ff191ce2f02935f356d4b7da1cf0a57f

SHA256
f42d7d5d8fc881ad9729dfed8a94876cc9837da70f44bdefa6b2b3fcba53356e

SHA512
b7f9f575b065fa7e4ae16e946db9cb88669970bb71b97c81afbd9f9cb53b23246381cdcdc73c5ac203ff701938c79a24f2287b46f88b983a2486e34f458bef31

Download Submit
memory/1336-35-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1336-22-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1336-23-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1336-21-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1336-20-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1336-19-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2472-4-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2472-7-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2472-8-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2472-11-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2472-10-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2472-9-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2472-2-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2472-5-0x000000000055A000-0x00000000005A8000-memory.dmp

Filesize
312KB

Download
memory/2472-6-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2472-33-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2472-0-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download