7d815f06185e7a5499b37e426c66191f2174d4e82b2f669af0a168633ce17b16

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 19:24

Target

f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe
Size

73KB
MD5

f67efca3e64a257311b8a2e278128cce
SHA1

78faa967d50f866f63b257c0829ef2539aeef3c9
SHA256

7d815f06185e7a5499b37e426c66191f2174d4e82b2f669af0a168633ce17b16
SHA512

449730d00098c9cb7113411684c4776292c8732936c9c20b5704b72a7dac6589d1d6c115d12f732d959bb3326c65c98d6a1b19d5d0edb039f09049157511288f
SSDEEP

1536:W45qNJhWBZ5xaq2VXBRAIYO+MElTnz8MdQqzupKBVQB+/t9o2hNSAlvZJR:W/FKxaLRSO+MEnzD4KBaBw9lhNFhR

Score

7^/10

Loads dropped DLL 2 IoCs

pid	Process
3272	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe
3272	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\B831406A9770.dll	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\B831406A9770.dll	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\ = "fsvdf"	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32\ = "C:\\Windows\\Debug\\B831406A9770.dll"	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32\ThrEaDiNgModEL = "aPaRTmEnT"	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3272	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 4976	3272	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe	88
PID 3272 wrote to memory of 4976	3272	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe	88
PID 3272 wrote to memory of 4976	3272	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe	88
PID 3272 wrote to memory of 3592	3272	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe	95
PID 3272 wrote to memory of 3592	3272	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe	95
PID 3272 wrote to memory of 3592	3272	f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f67efca3e64a257311b8a2e278128cce_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:4976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:3592

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
42B

MD5
08409feff760da097349273e3c396884

SHA1
d530f5a50d2bd76d8c7c97343f806db11e78b88a

SHA256
13cb6eb5d95d299ce36973a31633fa0d73394fe1a51d61373d4f7efa3cb80d4c

SHA512
4ef729df5f805ca0007c618bde027ee3243be34bf9c3a66a5465299c1910bf0deddc9d8a08cfd0cf6973012bfe6c3cf109faa80fee94ed4fa12a232f5a16f54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
53B

MD5
8d856891d061488c8fca4e071c7db6eb

SHA1
00d98a74477c27281a8e38ffd8a40c08e51b341d

SHA256
29f9eed1ad480b91ae4e33b6378e5f598c61bdf607f7363d099701c45e40f5ac

SHA512
ed43963addefba107fbd4ab6d9265118f99d48b8af66dd44cc3a5d5842e3965116b5af9ba7537d90f884029ed57fa0f67aafc1625fe26168b11718eda35ea531

Download Submit
C:\Windows\debug\B831406A9770.dll

Filesize
154KB

MD5
e23be3cce6ab7c704e9b91a58824de81

SHA1
e5f4494fbe79834c25097b8d241fcf169973c49a

SHA256
81ac9c1c1d271f5e12d262e4351242a42da7b3857ca2a9036f200e6e2895062e

SHA512
4023f4d8a7e5599afd106a59cb53f6fe0db1aa464625fc66861a80993733f1f16cfc8c2e974c4a64cf576f0f3a0262130343bdb9b2fb3771ff8715c10b117f3e

Download Submit
memory/3272-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3272-11-0x00000000006F0000-0x000000000071B000-memory.dmp

Filesize
172KB

Download
memory/3272-15-0x00000000006F0000-0x000000000071B000-memory.dmp

Filesize
172KB

Download
memory/3272-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download