dcae78be09362f839147ecd368fba0b85940af9d1e832fb2c735ba9247cd4ac5

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 20:36

Target

4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe
Size

19KB
MD5

4b4d1ce315f78cc9475934f5e1251f4a
SHA1

09b2d9499d9f1a23467c3f95ca830ba0657f79b9
SHA256

dcae78be09362f839147ecd368fba0b85940af9d1e832fb2c735ba9247cd4ac5
SHA512

2542ea434cc09f2e66700de8c49aaca1552a2dc5e0fbf26bc9ebd7787f73ffbe2a751d3d51e710c4177d2ca3c96aa49da50985c2f21c0177ed8fd68918c22fe1
SSDEEP

384:pXuIa3hZGN11WLdf3hRj5dEkkqtbku8nw:p+d3G31WLdZRj57bku8nw

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
2504	4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fydoor0.dll	4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fydoor0.dll	4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD9B003B-4528-A9D9-0BE6-B8DBACAC6B9B}\daExeModuleName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe"	4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD9B003B-4528-A9D9-0BE6-B8DBACAC6B9B}\daDllModuleName = "C:\\Windows\\SysWow64\\fydoor0.dll"	4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD9B003B-4528-A9D9-0BE6-B8DBACAC6B9B}\daSobjEventName = "YUTDFGHKHCOOLFY_0"	4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD9B003B-4528-A9D9-0BE6-B8DBACAC6B9B}	4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1216	2504	4b4d1ce315f78cc9475934f5e1251f4a_JaffaCakes118.exe	21

\Windows\SysWOW64\fydoor0.dll

Filesize
13KB

MD5
0c8bcaa1637ac2d5fe8a40fc61c8ce10

SHA1
313bd19492da3eb8cd4842b982ca66cca1624458

SHA256
1eb510307556d1ed46457852404fcc35aa3ab2f4aae8ea118076f12fa1a06252

SHA512
8ab978603c3addf4b5b67f2cddc5bc0d22c13858a7402ca88a7a8a857808f5915a7bce845874548fa72016e17888349691292ae6e5a461f97eb5c792d8110f7a

Download Submit
memory/1216-6-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2504-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2504-5-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2504-7-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2504-8-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download