b73435925ea5bff564ee603246061c65339a128762d5e1e3141a2f390038cc41

Analysis

max time kernel
95s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 05:43

Target

cc66bcff188c7ea802ecf0feffd20e54_JaffaCakes118.exe
Size

59KB
MD5

cc66bcff188c7ea802ecf0feffd20e54
SHA1

df675d61993d4a93a1ae45929640dff275856812
SHA256

b73435925ea5bff564ee603246061c65339a128762d5e1e3141a2f390038cc41
SHA512

19e98bc6f2fc84f54a83745eb2415f0c937f7ce009902a1f02c10bcb1153af8b88ddd187196869e12854fa79f561285a20bbb466dc84968d944647094a3b6f65
SSDEEP

768:vCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWNReOOe:71Tzy48untU8fOMEI3jyYfPiuOe

Score

1^/10

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 4064	1316	cc66bcff188c7ea802ecf0feffd20e54_JaffaCakes118.exe	85
PID 1316 wrote to memory of 4064	1316	cc66bcff188c7ea802ecf0feffd20e54_JaffaCakes118.exe	85
PID 1316 wrote to memory of 4064	1316	cc66bcff188c7ea802ecf0feffd20e54_JaffaCakes118.exe	85
PID 4064 wrote to memory of 1652	4064	cmd.exe	88
PID 4064 wrote to memory of 1652	4064	cmd.exe	88
PID 4064 wrote to memory of 1652	4064	cmd.exe	88
PID 1652 wrote to memory of 932	1652	iexpress.exe	90
PID 1652 wrote to memory of 932	1652	iexpress.exe	90
PID 1652 wrote to memory of 932	1652	iexpress.exe	90

C:\Users\Admin\AppData\Local\Temp\cc66bcff188c7ea802ecf0feffd20e54_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc66bcff188c7ea802ecf0feffd20e54_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\709C.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\cc66bcff188c7ea802ecf0feffd20e54_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      PID:932

C:\Users\Admin\AppData\Local\Temp\709C.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
59KB

MD5
794a29bce745382502e2c548bb0912eb

SHA1
47d38a1018fd956caa77279391d63c8a3e64570a

SHA256
5876af850327ee9f8e0dbe76e000dafe94a7ffdc5b0f5a6b0ed9ca11f6aa0938

SHA512
a81bbe6d7517160d2b1bd2d865764c109097f36d078aaf2dd635792c0e06b4b35881f260c1b42a02e87c65da268296f287cf258cce423d08855d881ed7821516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit