1334900f60b759c6e3db382a68038b8c71aed7bea5ef9829d9c84dd0acb114b2

Analysis

max time kernel
95s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 11:30

Target

5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe
Size

390KB
MD5

5bc240d09f20592fd180146692ad1a94
SHA1

6363ae5ccbf328f48c67c34da148443a439b1a3b
SHA256

1334900f60b759c6e3db382a68038b8c71aed7bea5ef9829d9c84dd0acb114b2
SHA512

ceff996ee4f9be185683cc91f1cffa287ab3ed953714f5cebb7c02267319b0b48cf9616d34073b05051c9c68a953d87c5c3080cc5b12bcf9a9ece3c4bbfed01d
SSDEEP

6144:rbGGx7S1h4+TBivuQgmkGB4FGJ/yFBY/CFegLOxuCmd:rbGO7yhzTUvuXEVsFyAfd

Score

7^/10

upx

Executes dropped EXE 2 IoCs

pid	Process
3544	RedGirl.exe
3736	RedGirl.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x00090000000234c4-9.dat	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RedGirl.dat	RedGirl.exe
File opened for modification	C:\Windows\SysWOW64\RedGirl.dat	RedGirl.exe
File created	C:\Windows\SysWOW64\RedGirl.exe	5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RedGirl.exe	5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tmp.bat	5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	RedGirl.exe
Token: SeSystemtimePrivilege	3544	RedGirl.exe
Token: SeDebugPrivilege	3544	RedGirl.exe
Token: SeSystemtimePrivilege	3544	RedGirl.exe
Token: SeDebugPrivilege	3736	RedGirl.exe
Token: SeSystemtimePrivilege	3736	RedGirl.exe
Token: SeDebugPrivilege	3736	RedGirl.exe
Token: SeSystemtimePrivilege	3736	RedGirl.exe
Token: SeDebugPrivilege	3736	RedGirl.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3544	5072	5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe	86
PID 5072 wrote to memory of 3544	5072	5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe	86
PID 5072 wrote to memory of 3544	5072	5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe	86
PID 5072 wrote to memory of 5012	5072	5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe	87
PID 5072 wrote to memory of 5012	5072	5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe	87
PID 5072 wrote to memory of 5012	5072	5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe	87
PID 3736 wrote to memory of 3880	3736	RedGirl.exe	102
PID 3736 wrote to memory of 3880	3736	RedGirl.exe	102
PID 3736 wrote to memory of 3880	3736	RedGirl.exe	102

C:\Users\Admin\AppData\Local\Temp\5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bc240d09f20592fd180146692ad1a94_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\RedGirl.exe
  C:\Windows\System32\RedGirl.exe 1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\tmp.bat
  2⤵
  PID:5012

C:\Windows\SysWOW64\RedGirl.exe
C:\Windows\SysWOW64\RedGirl.exe -service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3880

C:\Windows\SysWOW64\RedGirl.dat

Filesize
192KB

MD5
0d05c432fe88a7ddbad169ca9b2e0bb2

SHA1
95fcd9c8b88bd6094a69fa46f41a93a5f6324b17

SHA256
ffdc5b2dd189d111bdb2546f9c1a7782bddb45194bf441d6a0319f51e0034050

SHA512
714bec24f5b9bd12c3afa98215d893f68cad065911e3b94bdf7bd2aae329148f2afd191068d84466355ea94c0e4eb8a06378b654165d7da5844e0fca5a8417bf

Download Submit
C:\Windows\SysWOW64\RedGirl.exe

Filesize
390KB

MD5
5bc240d09f20592fd180146692ad1a94

SHA1
6363ae5ccbf328f48c67c34da148443a439b1a3b

SHA256
1334900f60b759c6e3db382a68038b8c71aed7bea5ef9829d9c84dd0acb114b2

SHA512
ceff996ee4f9be185683cc91f1cffa287ab3ed953714f5cebb7c02267319b0b48cf9616d34073b05051c9c68a953d87c5c3080cc5b12bcf9a9ece3c4bbfed01d

Download Submit
C:\Windows\SysWOW64\tmp.bat

Filesize
267B

MD5
664c186416fb8423076d9edf00ee8aa9

SHA1
66dadd6d13cc7fb203b933b87a40b8b719dffb4e

SHA256
300f726a3eb46acea3422b691d1d964b234c9534da15977bde58d4360caac484

SHA512
2c494215322f55a428ae249b95a720a1c5476f4cfcdeff13b3dc0248576a0ac61afeac95c3960db519607815829df792c75eb0bd13ea1e494dac01de83d7c4a9

Download Submit