c993cf052fffe596f59de07010b3aa5df60eeb1cb3583087f5d5659d605248b1

Analysis

max time kernel
147s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 09:39

Target

4dc0a91a66d387d17677574520e7eebd_JaffaCakes118.exe
Size

72KB
MD5

4dc0a91a66d387d17677574520e7eebd
SHA1

9f176161a82db31e118958b16715c5e13bb95f50
SHA256

c993cf052fffe596f59de07010b3aa5df60eeb1cb3583087f5d5659d605248b1
SHA512

57d0419b5c91f821903fe0e1db0878d1f9859b7d3ceec4a8c912a3c408122b95bc152f0a4a4f6ed9b4940cb423b7b7fc64f638f4fad257d7bdd95d1d50c23286
SSDEEP

1536:3THuzpM9iDA17BD3gPLTmWcXl4av66sj:3YGFDkLyWW+A66s

Score

8^/10

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2424	sc.exe
3596	sc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2424	3652	4dc0a91a66d387d17677574520e7eebd_JaffaCakes118.exe	83
PID 3652 wrote to memory of 2424	3652	4dc0a91a66d387d17677574520e7eebd_JaffaCakes118.exe	83
PID 3652 wrote to memory of 2424	3652	4dc0a91a66d387d17677574520e7eebd_JaffaCakes118.exe	83
PID 3652 wrote to memory of 3596	3652	4dc0a91a66d387d17677574520e7eebd_JaffaCakes118.exe	85
PID 3652 wrote to memory of 3596	3652	4dc0a91a66d387d17677574520e7eebd_JaffaCakes118.exe	85
PID 3652 wrote to memory of 3596	3652	4dc0a91a66d387d17677574520e7eebd_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\4dc0a91a66d387d17677574520e7eebd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4dc0a91a66d387d17677574520e7eebd_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\sc.exe
  sc.exe delete "Webserv"
  2⤵
  - Launches sc.exe
  PID:2424
- C:\Windows\SysWOW64\sc.exe
  sc.exe Create "Webserv" type= own type= interact start= auto DisplayName= "web" binPath= "cmd.exe /c start "C:\Users\Admin\AppData\Local\Temp\4dc0a91a66d387d17677574520e7eebd_JaffaCakes118.exe"
  2⤵
  - Launches sc.exe
  PID:3596