7c5d8604b504015f32af4b79cf3c09bff69ce519e037580039cd0a3ed0d0ea2d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 22:56

Target

60506b1cbf3a584fee3fe0c93cf2cd1d_JaffaCakes118.exe
Size

361KB
MD5

60506b1cbf3a584fee3fe0c93cf2cd1d
SHA1

c665afc933b52f7b686e07459168536cb166a837
SHA256

7c5d8604b504015f32af4b79cf3c09bff69ce519e037580039cd0a3ed0d0ea2d
SHA512

f8e1dafea44446347bbe4edac238a5999dce19987f973dbe666c8718af51aded54721d3a645e7337c64e510f90ff51bfee8ddd888d14d9c73a0fcef47b2a9fda
SSDEEP

6144:Vze7SykfSOBlWWRmGwL4QQgKKX8x7/2xWqWma2XDzHPt281NZb:JeXpOjWtGNgDUiWqWNKDrt2uZb

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
5020	scdhcw.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\scdhcw.exe	60506b1cbf3a584fee3fe0c93cf2cd1d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\scdhcw.exe	60506b1cbf3a584fee3fe0c93cf2cd1d_JaffaCakes118.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Enigma Protector\29AEB4A0365755F6-B862CAE984EA4D0E\Options = 1c65ca371922cc3099fda0578d159434dc5b5ce16a2391c9161339c29d6d5e75fe5cfff47fdc20c67b812289ef614e13b6b4cbfb7c155cd580bfc660cee01cdf4f7d2419c8f04c372efb4ed5c258b2b567383babfb4d10e7a910006bd3db5fbd8df3e5f310b60e44	scdhcw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Enigma Protector\29AEB4A0365755F6-B862CAE984EA4D0E	scdhcw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	scdhcw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Enigma Protector	scdhcw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\EnigmaDevelopers\	scdhcw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Enigma Protector\29AEB4A0365755F6-B862CAE984EA4D0E\02F01F553A112DCE-00C9DB38C18D5FD1	scdhcw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Enigma Protector\29AEB4A0365755F6-B862CAE984EA4D0E\02F01F553A112DCE-00C9DB38C18D5FD1\8BD0F9B1 = fad1147286eeb500d5e625d811af	scdhcw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4280	60506b1cbf3a584fee3fe0c93cf2cd1d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 1452	4280	60506b1cbf3a584fee3fe0c93cf2cd1d_JaffaCakes118.exe	85
PID 4280 wrote to memory of 1452	4280	60506b1cbf3a584fee3fe0c93cf2cd1d_JaffaCakes118.exe	85
PID 4280 wrote to memory of 1452	4280	60506b1cbf3a584fee3fe0c93cf2cd1d_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\60506b1cbf3a584fee3fe0c93cf2cd1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60506b1cbf3a584fee3fe0c93cf2cd1d_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\60506B~1.EXE > nul
  2⤵
  PID:1452

C:\Windows\SysWOW64\scdhcw.exe

Filesize
361KB

MD5
60506b1cbf3a584fee3fe0c93cf2cd1d

SHA1
c665afc933b52f7b686e07459168536cb166a837

SHA256
7c5d8604b504015f32af4b79cf3c09bff69ce519e037580039cd0a3ed0d0ea2d

SHA512
f8e1dafea44446347bbe4edac238a5999dce19987f973dbe666c8718af51aded54721d3a645e7337c64e510f90ff51bfee8ddd888d14d9c73a0fcef47b2a9fda

Download Submit
memory/4280-0-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4280-1-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4280-7-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/5020-5-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/5020-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download