c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 16:53

Target

JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe
Size

741.0MB
MD5

48e90decbbe56eda8001688b87caeece
SHA1

4d0c27524f6c22b8fef4fd239eaa32a72fc838ba
SHA256

c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2
SHA512

628936da90bd2acc4795ac3c533e0419ddd8bb268c310212698da4d8fb7c45a2ef7dc8607d1d80258951633862338d1a6060d1108294785a57d28be93ef7a1d0
SSDEEP

98304:A2myYARohKbEc9LUHAMqsmigf4q7soMpTPwKu3/ud0GiBZ4PYlRZCDw1BQRt7172:AMYARLbEpjgfsTPwKu3/uFiZgQB1Y

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1660	JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe
1660	JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2592	1660	JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe	31
PID 1660 wrote to memory of 2592	1660	JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe	31
PID 1660 wrote to memory of 2592	1660	JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe	31
PID 1660 wrote to memory of 2592	1660	JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe	31
PID 1660 wrote to memory of 2592	1660	JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe	31
PID 1660 wrote to memory of 2592	1660	JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe	31
PID 1660 wrote to memory of 2592	1660	JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c3fa21431a8dbc2ee9f02b1ae54ce5da58b55d4d9565143ea73cba8e7c2b5cf2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2592

memory/1660-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/1660-1-0x0000000000DD0000-0x000000000205C000-memory.dmp

Filesize
18.5MB

Download
memory/1660-2-0x000000001C590000-0x000000001C7EE000-memory.dmp

Filesize
2.4MB

Download
memory/1660-3-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/1660-4-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download