8f0de9561c819a2ac7f490afebea87ac5a80fdc6af0877210e3601ad89de8310

Analysis

max time kernel
154s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f982412c1068c62c74e66e33d22f126c_JaffaCakes118.exe
Size

190KB
MD5

f982412c1068c62c74e66e33d22f126c
SHA1

2abac49c1945c84afbf043294caedb466ecc9a6c
SHA256

8f0de9561c819a2ac7f490afebea87ac5a80fdc6af0877210e3601ad89de8310
SHA512

54afecfa208207f1605382fdbb907e4f0f58d30fb7a749cf91a5a31ec23ff7968ca85cf17543f06c57e0b683c6274c8ebb224d1f72df6d1b0dc52a0543b44a6e
SSDEEP

3072:mnb3hr6gHOACLkhR8xD/5TaBOR5OE1EM2jASY1atZgn37zpnop2WtXvs3R:o3hr6gH3N4xD/lay92NgvpnoJtEh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

SVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXE

pid	process
3996	SVCHOSTI.EXE
1980	SVCHOSTI.EXE
4512	SVCHOSTI.EXE
2604	SVCHOSTI.EXE
4932	SVCHOSTI.EXE
3412	SVCHOSTI.EXE
2144	SVCHOSTI.EXE
1504	SVCHOSTI.EXE
5080	SVCHOSTI.EXE
3728	SVCHOSTI.EXE

Drops file in System32 directory 22 IoCs

Processes:

SVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXEf982412c1068c62c74e66e33d22f126c_JaffaCakes118.exeSVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	f982412c1068c62c74e66e33d22f126c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File created	C:\Windows\SysWOW64\SVCHOSTI.EXE	f982412c1068c62c74e66e33d22f126c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSTI.EXE	SVCHOSTI.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

f982412c1068c62c74e66e33d22f126c_JaffaCakes118.exeSVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXESVCHOSTI.EXE

description	pid	process	target process
PID 1092 wrote to memory of 3996	1092	f982412c1068c62c74e66e33d22f126c_JaffaCakes118.exe	SVCHOSTI.EXE
PID 1092 wrote to memory of 3996	1092	f982412c1068c62c74e66e33d22f126c_JaffaCakes118.exe	SVCHOSTI.EXE
PID 1092 wrote to memory of 3996	1092	f982412c1068c62c74e66e33d22f126c_JaffaCakes118.exe	SVCHOSTI.EXE
PID 3996 wrote to memory of 1980	3996	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 3996 wrote to memory of 1980	3996	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 3996 wrote to memory of 1980	3996	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 1980 wrote to memory of 4512	1980	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 1980 wrote to memory of 4512	1980	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 1980 wrote to memory of 4512	1980	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 4512 wrote to memory of 2604	4512	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 4512 wrote to memory of 2604	4512	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 4512 wrote to memory of 2604	4512	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 2604 wrote to memory of 4932	2604	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 2604 wrote to memory of 4932	2604	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 2604 wrote to memory of 4932	2604	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 4932 wrote to memory of 3412	4932	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 4932 wrote to memory of 3412	4932	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 4932 wrote to memory of 3412	4932	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 3412 wrote to memory of 2144	3412	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 3412 wrote to memory of 2144	3412	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 3412 wrote to memory of 2144	3412	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 2144 wrote to memory of 1504	2144	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 2144 wrote to memory of 1504	2144	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 2144 wrote to memory of 1504	2144	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 1504 wrote to memory of 5080	1504	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 1504 wrote to memory of 5080	1504	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 1504 wrote to memory of 5080	1504	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 5080 wrote to memory of 3728	5080	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 5080 wrote to memory of 3728	5080	SVCHOSTI.EXE	SVCHOSTI.EXE
PID 5080 wrote to memory of 3728	5080	SVCHOSTI.EXE	SVCHOSTI.EXE

C:\Users\Admin\AppData\Local\Temp\f982412c1068c62c74e66e33d22f126c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f982412c1068c62c74e66e33d22f126c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\SVCHOSTI.EXE
C:\Windows\system32\SVCHOSTI.EXE 1228 "C:\Users\Admin\AppData\Local\Temp\f982412c1068c62c74e66e33d22f126c_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\SVCHOSTI.EXE
C:\Windows\system32\SVCHOSTI.EXE 1188 "C:\Windows\SysWOW64\SVCHOSTI.EXE"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\SVCHOSTI.EXE
C:\Windows\system32\SVCHOSTI.EXE 1160 "C:\Windows\SysWOW64\SVCHOSTI.EXE"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\SVCHOSTI.EXE
C:\Windows\system32\SVCHOSTI.EXE 1120 "C:\Windows\SysWOW64\SVCHOSTI.EXE"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\SVCHOSTI.EXE
C:\Windows\system32\SVCHOSTI.EXE 1164 "C:\Windows\SysWOW64\SVCHOSTI.EXE"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\SVCHOSTI.EXE
C:\Windows\system32\SVCHOSTI.EXE 1152 "C:\Windows\SysWOW64\SVCHOSTI.EXE"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\SVCHOSTI.EXE
C:\Windows\system32\SVCHOSTI.EXE 1172 "C:\Windows\SysWOW64\SVCHOSTI.EXE"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\SVCHOSTI.EXE
C:\Windows\system32\SVCHOSTI.EXE 1028 "C:\Windows\SysWOW64\SVCHOSTI.EXE"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\SVCHOSTI.EXE
C:\Windows\system32\SVCHOSTI.EXE 1184 "C:\Windows\SysWOW64\SVCHOSTI.EXE"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\SVCHOSTI.EXE
C:\Windows\system32\SVCHOSTI.EXE 1180 "C:\Windows\SysWOW64\SVCHOSTI.EXE"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SVCHOSTI.EXE

Filesize
190KB

MD5
f982412c1068c62c74e66e33d22f126c

SHA1
2abac49c1945c84afbf043294caedb466ecc9a6c

SHA256
8f0de9561c819a2ac7f490afebea87ac5a80fdc6af0877210e3601ad89de8310

SHA512
54afecfa208207f1605382fdbb907e4f0f58d30fb7a749cf91a5a31ec23ff7968ca85cf17543f06c57e0b683c6274c8ebb224d1f72df6d1b0dc52a0543b44a6e

Download Submit
memory/1092-19-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1092-7-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1092-39-0x0000000000970000-0x00000000009AA000-memory.dmp

Filesize
232KB

Download
memory/1092-3-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1092-4-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1092-5-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1092-6-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1092-37-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1092-8-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1092-9-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1092-10-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1092-11-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1092-26-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1092-13-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1092-14-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1092-15-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1092-17-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1092-16-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1092-18-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1092-0-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1092-12-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1092-1-0x0000000000970000-0x00000000009AA000-memory.dmp

Filesize
232KB

Download
memory/1092-2-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1504-139-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1980-52-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1980-50-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1980-51-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1980-55-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1980-56-0x0000000000650000-0x000000000068A000-memory.dmp

Filesize
232KB

Download
memory/1980-48-0x0000000000650000-0x000000000068A000-memory.dmp

Filesize
232KB

Download
memory/1980-49-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1980-53-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2144-123-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2604-77-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2604-76-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2604-72-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2604-85-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2604-74-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2604-75-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2604-73-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2604-78-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3412-110-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3996-40-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3996-28-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/3996-43-0x0000000000850000-0x000000000088A000-memory.dmp

Filesize
232KB

Download
memory/3996-38-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3996-42-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3996-45-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3996-46-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3996-27-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3996-44-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3996-41-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/3996-29-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3996-30-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3996-31-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3996-33-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3996-32-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3996-34-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3996-35-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3996-36-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4512-59-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/4512-64-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4512-69-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4512-67-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4512-68-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/4512-65-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4512-63-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4512-71-0x0000000000570000-0x00000000005AA000-memory.dmp

Filesize
232KB

Download
memory/4512-62-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4512-58-0x0000000000570000-0x00000000005AA000-memory.dmp

Filesize
232KB

Download
memory/4512-61-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/4512-60-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4932-95-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/5080-151-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download