97eab582ab5c97d6976efebedcd046e397427bdd04defcfe9fb65afa31c9a48f

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 17:50

Target

eba61e1580f46a700f43dca23ec9b8c8_JaffaCakes118.exe
Size

281KB
MD5

eba61e1580f46a700f43dca23ec9b8c8
SHA1

670defd2e3a408039f934f7fdb18ea7ce5f6823d
SHA256

97eab582ab5c97d6976efebedcd046e397427bdd04defcfe9fb65afa31c9a48f
SHA512

8521cb69bd157ac7d7cac800738ef7b1f36b6b83315dce4484aead57a02ba66b1dc9066d2b5d034e7fc71e2f57b7d0f2f2d3efed2c2a5eca300f2287cb2c9212
SSDEEP

6144:bmQ8Ufw/M/eUfTWOP9uo51oe1jfohAjLdO9E1vO/hD3lMKsZG1JR:rw/lUb7oeCovO/ZVM3

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2444	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	svohst.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svohst.exe	svohst.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	eba61e1580f46a700f43dca23ec9b8c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svohst.exe	eba61e1580f46a700f43dca23ec9b8c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svohst.exe	eba61e1580f46a700f43dca23ec9b8c8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2444	2912	eba61e1580f46a700f43dca23ec9b8c8_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2444	2912	eba61e1580f46a700f43dca23ec9b8c8_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2444	2912	eba61e1580f46a700f43dca23ec9b8c8_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2444	2912	eba61e1580f46a700f43dca23ec9b8c8_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\eba61e1580f46a700f43dca23ec9b8c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eba61e1580f46a700f43dca23ec9b8c8_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2444

C:\Windows\SysWOW64\Deleteme.bat

Filesize
212B

MD5
477a3ca959604cc4e7f537b153262b66

SHA1
be2fff77fe0915a23291d364aaa395498291bc08

SHA256
06d295c82b3b79c3c3d35f6c0d0859b2a8286f0ab90b6de29b299eef7943d62e

SHA512
cce3bd94209f7044db478f479e83b993206ca69b9aed9f53d2da155425584baa92c3fb5acf9c455aa7fbd42447383ead52a1b1b198cdd156aa26b6b1c13d588f

Download Submit
C:\Windows\SysWOW64\svohst.exe

Filesize
281KB

MD5
eba61e1580f46a700f43dca23ec9b8c8

SHA1
670defd2e3a408039f934f7fdb18ea7ce5f6823d

SHA256
97eab582ab5c97d6976efebedcd046e397427bdd04defcfe9fb65afa31c9a48f

SHA512
8521cb69bd157ac7d7cac800738ef7b1f36b6b83315dce4484aead57a02ba66b1dc9066d2b5d034e7fc71e2f57b7d0f2f2d3efed2c2a5eca300f2287cb2c9212

Download Submit
memory/2632-6-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2632-7-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2632-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2912-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2912-1-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2912-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2912-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download