78797eab60c2e6a9cbcaf110b27d750e1108aaaabbc073f45b376cd523b0431b

Analysis

max time kernel
61s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 18:57

Target

4afa59a3306fc137a118def820fa921b_JaffaCakes118.exe
Size

291KB
MD5

4afa59a3306fc137a118def820fa921b
SHA1

04ae314eaf055736ba1d876d4480befc2eecb956
SHA256

78797eab60c2e6a9cbcaf110b27d750e1108aaaabbc073f45b376cd523b0431b
SHA512

184ae5e86ddeb0736d9a381976e8292b543dd7059c3669f2eeff068b1dd7d23567140ede622d78c9ff84c937d9f7bda9f33d532fb62e227f76f187b87e7e8990
SSDEEP

6144:SldOFyKwOXaWpxQErEomtRYWvy4rzz+CkQ+RYlR7FzqQX48:Slw+41Wvyyz+Cd3FBo

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2908	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 2908	2488	4afa59a3306fc137a118def820fa921b_JaffaCakes118.exe	29

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{21240613-e5f7-3097-7118-07a5e49ca0cc}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21240613-e5f7-3097-7118-07a5e49ca0cc}\u = "30344"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21240613-e5f7-3097-7118-07a5e49ca0cc}\cid = "2733945425685563407"	explorer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2908	2488	4afa59a3306fc137a118def820fa921b_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2908	2488	4afa59a3306fc137a118def820fa921b_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2908	2488	4afa59a3306fc137a118def820fa921b_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2908	2488	4afa59a3306fc137a118def820fa921b_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2908	2488	4afa59a3306fc137a118def820fa921b_JaffaCakes118.exe	29
PID 2908 wrote to memory of 336	2908	explorer.exe	2

C:\Windows\system32\consrv.DLL

Filesize
52KB

MD5
1812577ddfa736694a8dbad896d329d7

SHA1
a6831421aa2c04b93078df35d4bd2eed62985060

SHA256
c9173337e91ef6a59658dd60f713517eddd8cb43196dcc970266cbc12c33d5df

SHA512
d470c44c8e969b182dae8b2451075b525a9f1fc349737db19966581cb76289b1cac00cf6b7920c53959aaaedabd47385acc6b74dce2cc8f6a54a5ed882901d34

Download Submit
memory/336-20-0x0000000001ED0000-0x0000000001EE2000-memory.dmp

Filesize
72KB

Download
memory/336-21-0x0000000001ED0000-0x0000000001EE2000-memory.dmp

Filesize
72KB

Download
memory/336-24-0x0000000001ED0000-0x0000000001EE2000-memory.dmp

Filesize
72KB

Download
memory/2488-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2488-2-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2488-1-0x0000000000400000-0x000000000044D800-memory.dmp

Filesize
310KB

Download
memory/2908-8-0x0000000000290000-0x00000000002A9000-memory.dmp

Filesize
100KB

Download
memory/2908-13-0x0000000000290000-0x00000000002A9000-memory.dmp

Filesize
100KB

Download
memory/2908-3-0x0000000000290000-0x00000000002A9000-memory.dmp

Filesize
100KB

Download
memory/2908-14-0x0000000000060000-0x0000000000075000-memory.dmp

Filesize
84KB

Download