db90d2a0b459e87822e6b613e02f7add300f29a7c664da344a9cfade0f6d5fae

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 05:40

Target

5f3b4e8e0ac4cacf668d8968a7389fd1_JaffaCakes118.dll
Size

208KB
MD5

5f3b4e8e0ac4cacf668d8968a7389fd1
SHA1

e18438f0f3c145dff06417692ab76ab5d6b27890
SHA256

db90d2a0b459e87822e6b613e02f7add300f29a7c664da344a9cfade0f6d5fae
SHA512

d84a600f4cce60a7347a404fe6ff0badf70d0bc389479ac7de51defbd52202b53548d13778ec1ab36ca316ee269d667f60934b908a9feaa61337e5ccef3da4a8
SSDEEP

3072:DoRQsgsLyOKLLBWKCjfcY+9t4lZoykTU19DBNlZ1/uDzg2naSRzIDZ01:DoRQsW/XUKlX4LoykTUDlMs2naSE

Score

4^/10

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pwisys.ini	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4960	2700	rundll32.exe	86
PID 2700 wrote to memory of 4960	2700	rundll32.exe	86
PID 2700 wrote to memory of 4960	2700	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f3b4e8e0ac4cacf668d8968a7389fd1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f3b4e8e0ac4cacf668d8968a7389fd1_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4960

C:\Windows\pwisys.ini

Filesize
15B

MD5
f76b79ad78d2c7c08e33c53798efd7ab

SHA1
40e3ed279bb7e37b7e37c62ad9b7183f81234ca2

SHA256
3c9fee212611cf3dde2fcc18e09e3811a37c6bc2eb4b542d1006f96601dfa04c

SHA512
7aebfa69e2b70d647f64ed912ca6d5ae881d4df6679cac303c67a69abce98f4ef5d185b0c07efbe5fb67ee9453311f58a3ac50272889f59ba73e3c45ba667647

Download Submit