6df75204e267f610904c481090ed5bdbafd788f4234f943a35bc67643527d63b

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe
Size

6.3MB
MD5

7340cb5d0035c78e8f3a630ae917b39b
SHA1

26fe1760506c6279c6fd4a779557146c858ba3d4
SHA256

6df75204e267f610904c481090ed5bdbafd788f4234f943a35bc67643527d63b
SHA512

530289a002ba16e59b4748eab6430da49394fdea43c75ededde9adc8f8191489129dce891b2f091cc9cb76b0657660387ed6fe27656ad67dc04a913ffd05e124
SSDEEP

98304:p9SBeaEG/VGiJwDhErzfz+9+A6LKSA/zlx/RH:7cean/VGiJmErzfzt+zl/

Score

1^/10

Malware Config

Signatures

GoLang User-Agent 8 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1
HTTP User-Agent header	4	Go-http-client/1.1
HTTP User-Agent header	5	Go-http-client/1.1
HTTP User-Agent header	6	Go-http-client/1.1
HTTP User-Agent header	7	Go-http-client/1.1
HTTP User-Agent header	8	Go-http-client/1.1
HTTP User-Agent header	9	Go-http-client/1.1
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2916	wmic.exe
Token: SeSecurityPrivilege	2916	wmic.exe
Token: SeTakeOwnershipPrivilege	2916	wmic.exe
Token: SeLoadDriverPrivilege	2916	wmic.exe
Token: SeSystemProfilePrivilege	2916	wmic.exe
Token: SeSystemtimePrivilege	2916	wmic.exe
Token: SeProfSingleProcessPrivilege	2916	wmic.exe
Token: SeIncBasePriorityPrivilege	2916	wmic.exe
Token: SeCreatePagefilePrivilege	2916	wmic.exe
Token: SeBackupPrivilege	2916	wmic.exe
Token: SeRestorePrivilege	2916	wmic.exe
Token: SeShutdownPrivilege	2916	wmic.exe
Token: SeDebugPrivilege	2916	wmic.exe
Token: SeSystemEnvironmentPrivilege	2916	wmic.exe
Token: SeRemoteShutdownPrivilege	2916	wmic.exe
Token: SeUndockPrivilege	2916	wmic.exe
Token: SeManageVolumePrivilege	2916	wmic.exe
Token: 33	2916	wmic.exe
Token: 34	2916	wmic.exe
Token: 35	2916	wmic.exe
Token: SeIncreaseQuotaPrivilege	2916	wmic.exe
Token: SeSecurityPrivilege	2916	wmic.exe
Token: SeTakeOwnershipPrivilege	2916	wmic.exe
Token: SeLoadDriverPrivilege	2916	wmic.exe
Token: SeSystemProfilePrivilege	2916	wmic.exe
Token: SeSystemtimePrivilege	2916	wmic.exe
Token: SeProfSingleProcessPrivilege	2916	wmic.exe
Token: SeIncBasePriorityPrivilege	2916	wmic.exe
Token: SeCreatePagefilePrivilege	2916	wmic.exe
Token: SeBackupPrivilege	2916	wmic.exe
Token: SeRestorePrivilege	2916	wmic.exe
Token: SeShutdownPrivilege	2916	wmic.exe
Token: SeDebugPrivilege	2916	wmic.exe
Token: SeSystemEnvironmentPrivilege	2916	wmic.exe
Token: SeRemoteShutdownPrivilege	2916	wmic.exe
Token: SeUndockPrivilege	2916	wmic.exe
Token: SeManageVolumePrivilege	2916	wmic.exe
Token: 33	2916	wmic.exe
Token: 34	2916	wmic.exe
Token: 35	2916	wmic.exe
Token: SeIncreaseQuotaPrivilege	2776	wmic.exe
Token: SeSecurityPrivilege	2776	wmic.exe
Token: SeTakeOwnershipPrivilege	2776	wmic.exe
Token: SeLoadDriverPrivilege	2776	wmic.exe
Token: SeSystemProfilePrivilege	2776	wmic.exe
Token: SeSystemtimePrivilege	2776	wmic.exe
Token: SeProfSingleProcessPrivilege	2776	wmic.exe
Token: SeIncBasePriorityPrivilege	2776	wmic.exe
Token: SeCreatePagefilePrivilege	2776	wmic.exe
Token: SeBackupPrivilege	2776	wmic.exe
Token: SeRestorePrivilege	2776	wmic.exe
Token: SeShutdownPrivilege	2776	wmic.exe
Token: SeDebugPrivilege	2776	wmic.exe
Token: SeSystemEnvironmentPrivilege	2776	wmic.exe
Token: SeRemoteShutdownPrivilege	2776	wmic.exe
Token: SeUndockPrivilege	2776	wmic.exe
Token: SeManageVolumePrivilege	2776	wmic.exe
Token: 33	2776	wmic.exe
Token: 34	2776	wmic.exe
Token: 35	2776	wmic.exe
Token: SeIncreaseQuotaPrivilege	2776	wmic.exe
Token: SeSecurityPrivilege	2776	wmic.exe
Token: SeTakeOwnershipPrivilege	2776	wmic.exe
Token: SeLoadDriverPrivilege	2776	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2084	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	30
PID 1072 wrote to memory of 2084	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	30
PID 1072 wrote to memory of 2084	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	30
PID 1072 wrote to memory of 2696	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	31
PID 1072 wrote to memory of 2696	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	31
PID 1072 wrote to memory of 2696	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	31
PID 1072 wrote to memory of 2916	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	32
PID 1072 wrote to memory of 2916	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	32
PID 1072 wrote to memory of 2916	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	32
PID 1072 wrote to memory of 2724	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	34
PID 1072 wrote to memory of 2724	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	34
PID 1072 wrote to memory of 2724	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	34
PID 1072 wrote to memory of 2744	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	35
PID 1072 wrote to memory of 2744	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	35
PID 1072 wrote to memory of 2744	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	35
PID 1072 wrote to memory of 2896	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	36
PID 1072 wrote to memory of 2896	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	36
PID 1072 wrote to memory of 2896	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	36
PID 1072 wrote to memory of 2776	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	37
PID 1072 wrote to memory of 2776	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	37
PID 1072 wrote to memory of 2776	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	37
PID 1072 wrote to memory of 2296	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	38
PID 1072 wrote to memory of 2296	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	38
PID 1072 wrote to memory of 2296	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	38
PID 1072 wrote to memory of 2900	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	39
PID 1072 wrote to memory of 2900	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	39
PID 1072 wrote to memory of 2900	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	39
PID 1072 wrote to memory of 2016	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	40
PID 1072 wrote to memory of 2016	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	40
PID 1072 wrote to memory of 2016	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	40
PID 1072 wrote to memory of 2300	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	41
PID 1072 wrote to memory of 2300	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	41
PID 1072 wrote to memory of 2300	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	41
PID 1072 wrote to memory of 2596	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	42
PID 1072 wrote to memory of 2596	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	42
PID 1072 wrote to memory of 2596	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	42
PID 1072 wrote to memory of 2924	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	43
PID 1072 wrote to memory of 2924	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	43
PID 1072 wrote to memory of 2924	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	43
PID 1072 wrote to memory of 2992	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	44
PID 1072 wrote to memory of 2992	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	44
PID 1072 wrote to memory of 2992	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	44
PID 1072 wrote to memory of 2944	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	45
PID 1072 wrote to memory of 2944	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	45
PID 1072 wrote to memory of 2944	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	45
PID 1072 wrote to memory of 2880	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	46
PID 1072 wrote to memory of 2880	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	46
PID 1072 wrote to memory of 2880	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	46
PID 1072 wrote to memory of 3008	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	47
PID 1072 wrote to memory of 3008	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	47
PID 1072 wrote to memory of 3008	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	47
PID 1072 wrote to memory of 2684	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	48
PID 1072 wrote to memory of 2684	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	48
PID 1072 wrote to memory of 2684	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	48
PID 1072 wrote to memory of 1364	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	49
PID 1072 wrote to memory of 1364	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	49
PID 1072 wrote to memory of 1364	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	49
PID 1072 wrote to memory of 1800	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	50
PID 1072 wrote to memory of 1800	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	50
PID 1072 wrote to memory of 1800	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	50
PID 1072 wrote to memory of 1372	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	51
PID 1072 wrote to memory of 1372	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	51
PID 1072 wrote to memory of 1372	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	51
PID 1072 wrote to memory of 1848	1072	7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe	52

C:\Users\Admin\AppData\Local\Temp\7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\system32\cmd.exe
  cmd /c "mkdir C:\PerfLog"
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  cmd /C "move Windown.exe C:\PerfLog\Windown.exe"
  2⤵
  PID:2696
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get name,executablepath
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\system32\findstr.exe
  findstr Windown.exe
  2⤵
  PID:2724
- C:\Windows\system32\cmd.exe
  cmd /c "start /b C:\PerfLog\Windown.exe"
  2⤵
  PID:2744
- C:\Windows\system32\cmd.exe
  cmd /C "move Windown.exe C:\PerfLog\Windown.exe"
  2⤵
  PID:2896
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get name,executablepath
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\system32\findstr.exe
  findstr Windown.exe
  2⤵
  PID:2296
- C:\Windows\system32\cmd.exe
  cmd /c "start /b C:\PerfLog\Windown.exe"
  2⤵
  PID:2900
- C:\Windows\system32\cmd.exe
  cmd /C "move Windown.exe C:\PerfLog\Windown.exe"
  2⤵
  PID:2016
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get name,executablepath
  2⤵
  PID:2300
- C:\Windows\system32\findstr.exe
  findstr Windown.exe
  2⤵
  PID:2596
- C:\Windows\system32\cmd.exe
  cmd /c "start /b C:\PerfLog\Windown.exe"
  2⤵
  PID:2924
- C:\Windows\system32\cmd.exe
  cmd /C "move Windown.exe C:\PerfLog\Windown.exe"
  2⤵
  PID:2992
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get name,executablepath
  2⤵
  PID:2944
- C:\Windows\system32\findstr.exe
  findstr Windown.exe
  2⤵
  PID:2880
- C:\Windows\system32\cmd.exe
  cmd /c "start /b C:\PerfLog\Windown.exe"
  2⤵
  PID:3008
- C:\Windows\system32\cmd.exe
  cmd /C "move Windown.exe C:\PerfLog\Windown.exe"
  2⤵
  PID:2684
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get name,executablepath
  2⤵
  PID:1364
- C:\Windows\system32\findstr.exe
  findstr Windown.exe
  2⤵
  PID:1800
- C:\Windows\system32\cmd.exe
  cmd /c "start /b C:\PerfLog\Windown.exe"
  2⤵
  PID:1372
- C:\Windows\system32\cmd.exe
  cmd /C "move Windown.exe C:\PerfLog\Windown.exe"
  2⤵
  PID:1848
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get name,executablepath
  2⤵
  PID:2380
- C:\Windows\system32\findstr.exe
  findstr Windown.exe
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  cmd /c "start /b C:\PerfLog\Windown.exe"
  2⤵
  PID:2460
- C:\Windows\system32\cmd.exe
  cmd /C "move Windown.exe C:\PerfLog\Windown.exe"
  2⤵
  PID:2428
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get name,executablepath
  2⤵
  PID:1640
- C:\Windows\system32\findstr.exe
  findstr Windown.exe
  2⤵
  PID:2204
- C:\Windows\system32\cmd.exe
  cmd /c "start /b C:\PerfLog\Windown.exe"
  2⤵
  PID:608
- C:\Windows\system32\cmd.exe
  cmd /C "move Windown.exe C:\PerfLog\Windown.exe"
  2⤵
  PID:1540
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get name,executablepath
  2⤵
  PID:2036
- C:\Windows\system32\findstr.exe
  findstr Windown.exe
  2⤵
  PID:1812
- C:\Windows\system32\cmd.exe
  cmd /c "start /b C:\PerfLog\Windown.exe"
  2⤵
  PID:1708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windown.exe

Filesize
342B

MD5
4631b80fb4d00f897aeea53fe54de1c1

SHA1
5d4eb7befed38d050a2b1adaa91de040a5beb9bf

SHA256
d5e3078cb88ba53faa1d104c27054d2a8ff92665b4c02144f55489bf5c254016

SHA512
1f1837a080939a6ee7876a8733bf9d074748ad8b1f907f5aa6588e2a80407e77e3272528a59c788b548e393256a4d396cb9266500c785ab538d03d60f645e3dd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads