eca5013a84161b2d0fbf1ab850c0078bcee0ad8bea09c9b5b3a24881661485c4

Analysis

max time kernel
143s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

628129d82ec97d79097919fc880e3b10_JaffaCakes118.exe
Size

293KB
MD5

628129d82ec97d79097919fc880e3b10
SHA1

0f6c02e4d2b17a32e0ffe34cd288b8f0b2fc1298
SHA256

eca5013a84161b2d0fbf1ab850c0078bcee0ad8bea09c9b5b3a24881661485c4
SHA512

32e3766edf3b9de339337a73a5e1f1b6b80e537c44c0082d94d29274be98d551c602d1b01d0bf4c3fbbd9c9064e843b2bcc30aa39a55aa3ad43ae53b1ac26ced
SSDEEP

6144:mpo9IhQ6CptIuDtfPZpdN8UO/tP8A+cx3dd8xJzfDELiB+CetzlVtTXM:dihXEBZ3RKUOFKcx3w7rDlB+Cm3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2636	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\tasks\svchost.exe	628129d82ec97d79097919fc880e3b10_JaffaCakes118.exe
File opened for modification	C:\Windows\tasks\svchost.exe	628129d82ec97d79097919fc880e3b10_JaffaCakes118.exe
File created	C:\Windows\004A0AAF.BAT	628129d82ec97d79097919fc880e3b10_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	628129d82ec97d79097919fc880e3b10_JaffaCakes118.exe
Token: SeDebugPrivilege	2636	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 224	1560	628129d82ec97d79097919fc880e3b10_JaffaCakes118.exe	90
PID 1560 wrote to memory of 224	1560	628129d82ec97d79097919fc880e3b10_JaffaCakes118.exe	90
PID 1560 wrote to memory of 224	1560	628129d82ec97d79097919fc880e3b10_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\628129d82ec97d79097919fc880e3b10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\628129d82ec97d79097919fc880e3b10_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\004A0AAF.BAT
  2⤵
  PID:224

C:\Windows\tasks\svchost.exe
C:\Windows\tasks\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\004A0AAF.BAT

Filesize
218B

MD5
3d1375c7e5a75f18283701c254979d5d

SHA1
0e74b92cb6d5000016fb1b40d8cb93c6d7094c0e

SHA256
31ac8a7fd7cf0db22b833a0c687c06df14cf8c875f26dd78fa1cde142a099f3d

SHA512
38c8acdeaf40e3ebfa759f0ec2f483f964c9094807bc057ad21f07846305b997ddece80d584e3922cf2a2434c2aa83ae03e051433594bd1bfe4a1e6f65225dbe

Download Submit
C:\Windows\Tasks\svchost.exe

Filesize
293KB

MD5
628129d82ec97d79097919fc880e3b10

SHA1
0f6c02e4d2b17a32e0ffe34cd288b8f0b2fc1298

SHA256
eca5013a84161b2d0fbf1ab850c0078bcee0ad8bea09c9b5b3a24881661485c4

SHA512
32e3766edf3b9de339337a73a5e1f1b6b80e537c44c0082d94d29274be98d551c602d1b01d0bf4c3fbbd9c9064e843b2bcc30aa39a55aa3ad43ae53b1ac26ced

Download Submit
memory/1560-16-0x0000000000401000-0x00000000004C1000-memory.dmp

Filesize
768KB

Download
memory/1560-1-0x0000000000400000-0x000000000050A446-memory.dmp

Filesize
1.0MB

Download
memory/1560-2-0x0000000000401000-0x00000000004C1000-memory.dmp

Filesize
768KB

Download
memory/1560-3-0x0000000000400000-0x000000000050A446-memory.dmp

Filesize
1.0MB

Download
memory/1560-6-0x0000000000400000-0x000000000050A446-memory.dmp

Filesize
1.0MB

Download
memory/1560-0-0x0000000000400000-0x000000000050A446-memory.dmp

Filesize
1.0MB

Download
memory/1560-17-0x0000000000400000-0x000000000050A446-memory.dmp

Filesize
1.0MB

Download
memory/2636-11-0x0000000000400000-0x000000000050A446-memory.dmp

Filesize
1.0MB

Download
memory/2636-13-0x0000000000400000-0x000000000050A446-memory.dmp

Filesize
1.0MB

Download
memory/2636-12-0x0000000000400000-0x000000000050A446-memory.dmp

Filesize
1.0MB

Download
memory/2636-10-0x0000000000400000-0x000000000050A446-memory.dmp

Filesize
1.0MB

Download
memory/2636-19-0x0000000000400000-0x000000000050A446-memory.dmp

Filesize
1.0MB

Download