9abb17dae6bfbbcb08bf69cfb2879000a8116870d992ee151e1857af74cd2fd1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 17:33

Target

641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe
Size

299KB
MD5

641f4b9575202033bc0715b4cf744ea4
SHA1

9fb0a3a8fdfc99461b77857f88760e1848fbde73
SHA256

9abb17dae6bfbbcb08bf69cfb2879000a8116870d992ee151e1857af74cd2fd1
SHA512

e574e5a10a5bcf2b06f83746fa954ed31113b7e8b7a019cabe5bfaa259362c3e611f480a46c3efed3a153b6a07c0b28659dd62bf1598771924db66dd93309d26
SSDEEP

6144:oqu2Oz82ARpUKrZ4mkRl0kl+6vlik/om6s:D6ARXZ40kl+69r

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
3312	svchost.exe -k

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2928-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/files/0x000900000002343e-4.dat	upx
behavioral2/memory/3312-6-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2928-11-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3312-13-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe -k	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe
File opened for modification	C:\Windows\svchost.exe -k	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe
File created	C:\Windows\DELME.BAT	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe
Token: SeDebugPrivilege	3312	svchost.exe -k

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3312	svchost.exe -k

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 5096	2928	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe	89
PID 2928 wrote to memory of 5096	2928	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe	89
PID 2928 wrote to memory of 5096	2928	641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe	89
PID 3312 wrote to memory of 2452	3312	svchost.exe -k	88
PID 3312 wrote to memory of 2452	3312	svchost.exe -k	88

C:\Users\Admin\AppData\Local\Temp\641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\641f4b9575202033bc0715b4cf744ea4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\DELME.BAT
  2⤵
  PID:5096

C:\Windows\svchost.exe -k
"C:\Windows\svchost.exe -k"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2452

C:\Windows\DELME.BAT

Filesize
218B

MD5
16a813ea6aa2e66062409dc57dd6eea5

SHA1
6f4d315b8593f894d09cb14d0d41779a651ee7d8

SHA256
cad1c607bf39d04563825e39bcad8e2c41e03a8cc090f7eb05165daf9ccc7c8b

SHA512
7af2bdccd8a9c9fd6f2a46e6e23f8c6ffdc0b57a8e293732e6a983ceebbc4cb1fa6eef7b0aafa3f7dd3cce08bfadfdb44a7d4533ff594e17d603a3904f05e5da

Download Submit
C:\Windows\svchost.exe -k

Filesize
299KB

MD5
641f4b9575202033bc0715b4cf744ea4

SHA1
9fb0a3a8fdfc99461b77857f88760e1848fbde73

SHA256
9abb17dae6bfbbcb08bf69cfb2879000a8116870d992ee151e1857af74cd2fd1

SHA512
e574e5a10a5bcf2b06f83746fa954ed31113b7e8b7a019cabe5bfaa259362c3e611f480a46c3efed3a153b6a07c0b28659dd62bf1598771924db66dd93309d26

Download Submit
memory/2928-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2928-1-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2928-11-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3312-6-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3312-8-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/3312-13-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3312-15-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download