9abb17dae6bfbbcb08bf69cfb2879000a8116870d992ee151e1857af74cd2fd1

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 17:33

Target

641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe
Size

299KB
MD5

641f4b9575202033bc0715b4cf744ea4
SHA1

9fb0a3a8fdfc99461b77857f88760e1848fbde73
SHA256

9abb17dae6bfbbcb08bf69cfb2879000a8116870d992ee151e1857af74cd2fd1
SHA512

e574e5a10a5bcf2b06f83746fa954ed31113b7e8b7a019cabe5bfaa259362c3e611f480a46c3efed3a153b6a07c0b28659dd62bf1598771924db66dd93309d26
SSDEEP

6144:oqu2Oz82ARpUKrZ4mkRl0kl+6vlik/om6s:D6ARXZ40kl+69r

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2240	svchost.exe -k

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2756-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/files/0x000700000001211b-4.dat	upx
behavioral1/memory/2240-5-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2756-16-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2240-18-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe -k	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe
File opened for modification	C:\Windows\svchost.exe -k	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe
File created	C:\Windows\DELME.BAT	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe
Token: SeDebugPrivilege	2240	svchost.exe -k

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2240	svchost.exe -k

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2876	2240	svchost.exe -k	31
PID 2240 wrote to memory of 2876	2240	svchost.exe -k	31
PID 2240 wrote to memory of 2876	2240	svchost.exe -k	31
PID 2240 wrote to memory of 2876	2240	svchost.exe -k	31
PID 2756 wrote to memory of 2848	2756	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2848	2756	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2848	2756	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2848	2756	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\DELME.BAT
  2⤵
  - Deletes itself
  PID:2848

C:\Windows\svchost.exe -k
"C:\Windows\svchost.exe -k"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2876

C:\Windows\DELME.BAT

Filesize
218B

MD5
16a813ea6aa2e66062409dc57dd6eea5

SHA1
6f4d315b8593f894d09cb14d0d41779a651ee7d8

SHA256
cad1c607bf39d04563825e39bcad8e2c41e03a8cc090f7eb05165daf9ccc7c8b

SHA512
7af2bdccd8a9c9fd6f2a46e6e23f8c6ffdc0b57a8e293732e6a983ceebbc4cb1fa6eef7b0aafa3f7dd3cce08bfadfdb44a7d4533ff594e17d603a3904f05e5da

Download Submit
C:\Windows\svchost.exe -k

Filesize
299KB

MD5
641f4b9575202033bc0715b4cf744ea4

SHA1
9fb0a3a8fdfc99461b77857f88760e1848fbde73

SHA256
9abb17dae6bfbbcb08bf69cfb2879000a8116870d992ee151e1857af74cd2fd1

SHA512
e574e5a10a5bcf2b06f83746fa954ed31113b7e8b7a019cabe5bfaa259362c3e611f480a46c3efed3a153b6a07c0b28659dd62bf1598771924db66dd93309d26

Download Submit
memory/2240-5-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2240-6-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2240-18-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2240-20-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2756-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2756-3-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2756-16-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download