87550c8c7017dc8651b9d815b752a5c7d56df89ea72bee6d5605830aba6ce31b

Analysis

max time kernel
125s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd897a7572141a39be51222477156f70_JaffaCakes118.exe
Size

480KB
MD5

dd897a7572141a39be51222477156f70
SHA1

f28d58c6c43da66dca42c5d3f1642cd08b38e887
SHA256

87550c8c7017dc8651b9d815b752a5c7d56df89ea72bee6d5605830aba6ce31b
SHA512

76d84d9be028616fb61f6450df8eafab11280fc58c72d0d1bf988ca26915075585760e2d987b8eeec57b047c67021e2851d4595ac06ccf1302b595859ecd7dc5
SSDEEP

12288:9r4bl03gdvGgjoAZ/9U+cu19+tjUK7lbJS3fm6MZIl3V:6jMgsAY+x+tjD7fqmPIlV

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 3848 set thread context of 2380	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	91
PID 2380 set thread context of 4316	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	93
PID 4316 set thread context of 4012	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	95
PID 4012 set thread context of 1228	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	97
PID 1228 set thread context of 544	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	99
PID 544 set thread context of 2408	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	101
PID 2408 set thread context of 3332	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	103

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe
Token: SeDebugPrivilege	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe
Token: SeDebugPrivilege	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe
Token: SeDebugPrivilege	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe
Token: SeDebugPrivilege	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe
Token: SeDebugPrivilege	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe
Token: SeDebugPrivilege	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe
Token: SeDebugPrivilege	3332	dd897a7572141a39be51222477156f70_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 3928	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	90
PID 3848 wrote to memory of 3928	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	90
PID 3848 wrote to memory of 2380	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	91
PID 3848 wrote to memory of 2380	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	91
PID 3848 wrote to memory of 2380	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	91
PID 3848 wrote to memory of 2380	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	91
PID 3848 wrote to memory of 2380	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	91
PID 3848 wrote to memory of 2380	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	91
PID 3848 wrote to memory of 2380	3848	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	91
PID 2380 wrote to memory of 2908	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	92
PID 2380 wrote to memory of 2908	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	92
PID 2380 wrote to memory of 4316	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	93
PID 2380 wrote to memory of 4316	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	93
PID 2380 wrote to memory of 4316	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	93
PID 2380 wrote to memory of 4316	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	93
PID 2380 wrote to memory of 4316	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	93
PID 2380 wrote to memory of 4316	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	93
PID 2380 wrote to memory of 4316	2380	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	93
PID 4316 wrote to memory of 4220	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	94
PID 4316 wrote to memory of 4220	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	94
PID 4316 wrote to memory of 4012	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	95
PID 4316 wrote to memory of 4012	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	95
PID 4316 wrote to memory of 4012	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	95
PID 4316 wrote to memory of 4012	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	95
PID 4316 wrote to memory of 4012	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	95
PID 4316 wrote to memory of 4012	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	95
PID 4316 wrote to memory of 4012	4316	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	95
PID 4012 wrote to memory of 2984	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	96
PID 4012 wrote to memory of 2984	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	96
PID 4012 wrote to memory of 1228	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	97
PID 4012 wrote to memory of 1228	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	97
PID 4012 wrote to memory of 1228	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	97
PID 4012 wrote to memory of 1228	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	97
PID 4012 wrote to memory of 1228	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	97
PID 4012 wrote to memory of 1228	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	97
PID 4012 wrote to memory of 1228	4012	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	97
PID 1228 wrote to memory of 1324	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	98
PID 1228 wrote to memory of 1324	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	98
PID 1228 wrote to memory of 544	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	99
PID 1228 wrote to memory of 544	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	99
PID 1228 wrote to memory of 544	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	99
PID 1228 wrote to memory of 544	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	99
PID 1228 wrote to memory of 544	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	99
PID 1228 wrote to memory of 544	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	99
PID 1228 wrote to memory of 544	1228	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	99
PID 544 wrote to memory of 3752	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	100
PID 544 wrote to memory of 3752	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	100
PID 544 wrote to memory of 2408	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	101
PID 544 wrote to memory of 2408	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	101
PID 544 wrote to memory of 2408	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	101
PID 544 wrote to memory of 2408	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	101
PID 544 wrote to memory of 2408	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	101
PID 544 wrote to memory of 2408	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	101
PID 544 wrote to memory of 2408	544	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	101
PID 2408 wrote to memory of 5016	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	102
PID 2408 wrote to memory of 5016	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	102
PID 2408 wrote to memory of 3332	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	103
PID 2408 wrote to memory of 3332	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	103
PID 2408 wrote to memory of 3332	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	103
PID 2408 wrote to memory of 3332	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	103
PID 2408 wrote to memory of 3332	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	103
PID 2408 wrote to memory of 3332	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	103
PID 2408 wrote to memory of 3332	2408	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	103
PID 3332 wrote to memory of 884	3332	dd897a7572141a39be51222477156f70_JaffaCakes118.exe	104

C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
  2⤵
  PID:3928
- C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
    3⤵
    PID:2908
- - C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
      4⤵
      PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        5⤵
        
        PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        6⤵
        
        PID:1324
      - C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        7⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        8⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        8⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        9⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\dd897a7572141a39be51222477156f70_JaffaCakes118.exe
        9⤵
        
        PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4444,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:2972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\dd897a7572141a39be51222477156f70_JaffaCakes118.exe.log

Filesize
224B

MD5
1e4f2a29e11dead55e61329942cd2b14

SHA1
4b3ec9b98797d2f734d67b47cc149546f21cf0af

SHA256
28bbb0da12bd69adc9df324c01392655b788115aba7466f02c23e1ba09f789d4

SHA512
2e28227d898486bfe1cea081df486464b214df50500786e30d6ee9e7d6391f3aacd2f1ed1d0eab60d518bbc79f20f32c226f00ffd70abfe9af45a746cb08416c

Download Submit
memory/2380-6-0x00007FF9CE420000-0x00007FF9CEDC1000-memory.dmp

Filesize
9.6MB

Download
memory/2380-8-0x00007FF9CE420000-0x00007FF9CEDC1000-memory.dmp

Filesize
9.6MB

Download
memory/2380-9-0x00007FF9CE420000-0x00007FF9CEDC1000-memory.dmp

Filesize
9.6MB

Download
memory/3848-0-0x00007FF9CE6D5000-0x00007FF9CE6D6000-memory.dmp

Filesize
4KB

Download
memory/3848-1-0x000000001C010000-0x000000001C0B6000-memory.dmp

Filesize
664KB

Download
memory/3848-2-0x00007FF9CE420000-0x00007FF9CEDC1000-memory.dmp

Filesize
9.6MB

Download
memory/3848-3-0x00007FF9CE420000-0x00007FF9CEDC1000-memory.dmp

Filesize
9.6MB

Download
memory/3848-7-0x00007FF9CE420000-0x00007FF9CEDC1000-memory.dmp

Filesize
9.6MB

Download
memory/4316-11-0x00007FF9CE420000-0x00007FF9CEDC1000-memory.dmp

Filesize
9.6MB

Download
memory/4316-12-0x00007FF9CE420000-0x00007FF9CEDC1000-memory.dmp

Filesize
9.6MB

Download
memory/4316-10-0x00007FF9CE420000-0x00007FF9CEDC1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads