ffa6bb102c782dc9675c82f7331743ced278d952db6fc5d63109d2c985659b88

Analysis

max time kernel
141s
max time network
135s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 09:21

Target

62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe
Size

744KB
MD5

62ac0760d61cdabdb4822660959d435c
SHA1

93ff29e109fccd7468b0faab3ac42322850f37bc
SHA256

ffa6bb102c782dc9675c82f7331743ced278d952db6fc5d63109d2c985659b88
SHA512

6d7789202d870442369c121a8d60aef9882ac0cfe2fa5086e86aed25ba4f74bd60315fbc1fc5587c028fa3079e49bc711d3fd2dd661871b39f1b0c6c0fbe17f4
SSDEEP

12288:yRn8S++U4u/n/80dW5A0zyo6JwQ5oAlK+GbRvZgIk+bQQ52LYRg08yPwrRs3:e8MU4ufxdW5A2mJr/khRveIk+33Y

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe
File created	C:\Windows\61642520.BAT	62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe
Token: SeDebugPrivilege	2792	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1728	2792	Hacker.com.cn.exe	31
PID 2792 wrote to memory of 1728	2792	Hacker.com.cn.exe	31
PID 2792 wrote to memory of 1728	2792	Hacker.com.cn.exe	31
PID 2792 wrote to memory of 1728	2792	Hacker.com.cn.exe	31
PID 2260 wrote to memory of 2820	2260	62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe	32
PID 2260 wrote to memory of 2820	2260	62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe	32
PID 2260 wrote to memory of 2820	2260	62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe	32
PID 2260 wrote to memory of 2820	2260	62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62ac0760d61cdabdb4822660959d435c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  PID:2820

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1728

C:\Windows\61642520.BAT

Filesize
218B

MD5
e0d5ed44f0b87d6f298a12e049f157db

SHA1
95ec3db18955f59bb906a5c9fd3e1290db4a124b

SHA256
8ca23e28867e83305a6f06ba07ac29cdf175426e476a28140df0c6bd67d1c43c

SHA512
1a3664b2a89a7daf3d226eb515832122b2f4210728055eb4149babfb70f887d1d287598ca5de796478d922d62bb5308066c2ad7f789c5faa59a6b6fdf73be655

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
744KB

MD5
62ac0760d61cdabdb4822660959d435c

SHA1
93ff29e109fccd7468b0faab3ac42322850f37bc

SHA256
ffa6bb102c782dc9675c82f7331743ced278d952db6fc5d63109d2c985659b88

SHA512
6d7789202d870442369c121a8d60aef9882ac0cfe2fa5086e86aed25ba4f74bd60315fbc1fc5587c028fa3079e49bc711d3fd2dd661871b39f1b0c6c0fbe17f4

Download Submit
memory/2260-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2260-2-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2792-4-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2792-15-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2792-17-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download