f9de9bf88e98a4ca36f4935f9d0656ed6185eebf2fa5eb2673e3e2acfa541223

Analysis

max time kernel
139s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 12:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe
Size

572KB
MD5

fcbebd2602f00dbdf81c408988c0c594
SHA1

cdfd36becd8a87f5b27c12dc1011d24c6f6503e4
SHA256

f9de9bf88e98a4ca36f4935f9d0656ed6185eebf2fa5eb2673e3e2acfa541223
SHA512

a94565342d2ba711332a12c412a20eade9a29bc3843d1568e0b4d697f5364ce3a79ce57db41a8212f5e1adf134426c8b4cf016ae879cae130bfdd69c4d869a8d
SSDEEP

12288:Hzwg73Zm3mn6K++ygPVVkGkCGEJuQRCcl9poIGe:T+3m6K++yyVapJBAFG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2596	svchosv.exe
1660	svchosv.exe
1520	svchosv.exe
1664	svchosv.exe
2012	svchosv.exe
2140	svchosv.exe
3048	svchosv.exe
1600	svchosv.exe
2484	svchosv.exe
1676	svchosv.exe

Loads dropped DLL 20 IoCs

pid	Process
2948	fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe
2948	fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe
2596	svchosv.exe
2596	svchosv.exe
1660	svchosv.exe
1660	svchosv.exe
1520	svchosv.exe
1520	svchosv.exe
1664	svchosv.exe
1664	svchosv.exe
2012	svchosv.exe
2012	svchosv.exe
2140	svchosv.exe
2140	svchosv.exe
3048	svchosv.exe
3048	svchosv.exe
1600	svchosv.exe
1600	svchosv.exe
2484	svchosv.exe
2484	svchosv.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File created	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File created	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File created	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File created	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File created	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File created	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File created	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File created	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File created	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe
File created	C:\Windows\SysWOW64\svchosv.exe	fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchosv.exe	fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchosv.exe	svchosv.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2948	fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe
2596	svchosv.exe
1660	svchosv.exe
1520	svchosv.exe
1664	svchosv.exe
2012	svchosv.exe
2140	svchosv.exe
3048	svchosv.exe
1600	svchosv.exe
2484	svchosv.exe
1676	svchosv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2596	2948	fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe	28
PID 2948 wrote to memory of 2596	2948	fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe	28
PID 2948 wrote to memory of 2596	2948	fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe	28
PID 2948 wrote to memory of 2596	2948	fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe	28
PID 2596 wrote to memory of 1660	2596	svchosv.exe	29
PID 2596 wrote to memory of 1660	2596	svchosv.exe	29
PID 2596 wrote to memory of 1660	2596	svchosv.exe	29
PID 2596 wrote to memory of 1660	2596	svchosv.exe	29
PID 1660 wrote to memory of 1520	1660	svchosv.exe	30
PID 1660 wrote to memory of 1520	1660	svchosv.exe	30
PID 1660 wrote to memory of 1520	1660	svchosv.exe	30
PID 1660 wrote to memory of 1520	1660	svchosv.exe	30
PID 1520 wrote to memory of 1664	1520	svchosv.exe	31
PID 1520 wrote to memory of 1664	1520	svchosv.exe	31
PID 1520 wrote to memory of 1664	1520	svchosv.exe	31
PID 1520 wrote to memory of 1664	1520	svchosv.exe	31
PID 1664 wrote to memory of 2012	1664	svchosv.exe	34
PID 1664 wrote to memory of 2012	1664	svchosv.exe	34
PID 1664 wrote to memory of 2012	1664	svchosv.exe	34
PID 1664 wrote to memory of 2012	1664	svchosv.exe	34
PID 2012 wrote to memory of 2140	2012	svchosv.exe	35
PID 2012 wrote to memory of 2140	2012	svchosv.exe	35
PID 2012 wrote to memory of 2140	2012	svchosv.exe	35
PID 2012 wrote to memory of 2140	2012	svchosv.exe	35
PID 2140 wrote to memory of 3048	2140	svchosv.exe	36
PID 2140 wrote to memory of 3048	2140	svchosv.exe	36
PID 2140 wrote to memory of 3048	2140	svchosv.exe	36
PID 2140 wrote to memory of 3048	2140	svchosv.exe	36
PID 3048 wrote to memory of 1600	3048	svchosv.exe	37
PID 3048 wrote to memory of 1600	3048	svchosv.exe	37
PID 3048 wrote to memory of 1600	3048	svchosv.exe	37
PID 3048 wrote to memory of 1600	3048	svchosv.exe	37
PID 1600 wrote to memory of 2484	1600	svchosv.exe	38
PID 1600 wrote to memory of 2484	1600	svchosv.exe	38
PID 1600 wrote to memory of 2484	1600	svchosv.exe	38
PID 1600 wrote to memory of 2484	1600	svchosv.exe	38
PID 2484 wrote to memory of 1676	2484	svchosv.exe	39
PID 2484 wrote to memory of 1676	2484	svchosv.exe	39
PID 2484 wrote to memory of 1676	2484	svchosv.exe	39
PID 2484 wrote to memory of 1676	2484	svchosv.exe	39

C:\Users\Admin\AppData\Local\Temp\fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\svchosv.exe
  C:\Windows\system32\svchosv.exe 704 "C:\Users\Admin\AppData\Local\Temp\fcbebd2602f00dbdf81c408988c0c594_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\svchosv.exe
    C:\Windows\system32\svchosv.exe 712 "C:\Windows\SysWOW64\svchosv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\svchosv.exe
      C:\Windows\system32\svchosv.exe 708 "C:\Windows\SysWOW64\svchosv.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\svchosv.exe
        
        C:\Windows\system32\svchosv.exe 724 "C:\Windows\SysWOW64\svchosv.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\SysWOW64\svchosv.exe
        
        C:\Windows\system32\svchosv.exe 720 "C:\Windows\SysWOW64\svchosv.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\svchosv.exe
        
        C:\Windows\system32\svchosv.exe 728 "C:\Windows\SysWOW64\svchosv.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\svchosv.exe
        
        C:\Windows\system32\svchosv.exe 732 "C:\Windows\SysWOW64\svchosv.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\svchosv.exe
        
        C:\Windows\system32\svchosv.exe 736 "C:\Windows\SysWOW64\svchosv.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\svchosv.exe
        
        C:\Windows\system32\svchosv.exe 716 "C:\Windows\SysWOW64\svchosv.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\svchosv.exe
        
        C:\Windows\system32\svchosv.exe 744 "C:\Windows\SysWOW64\svchosv.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\svchosv.exe

Filesize
572KB

MD5
fcbebd2602f00dbdf81c408988c0c594

SHA1
cdfd36becd8a87f5b27c12dc1011d24c6f6503e4

SHA256
f9de9bf88e98a4ca36f4935f9d0656ed6185eebf2fa5eb2673e3e2acfa541223

SHA512
a94565342d2ba711332a12c412a20eade9a29bc3843d1568e0b4d697f5364ce3a79ce57db41a8212f5e1adf134426c8b4cf016ae879cae130bfdd69c4d869a8d

Download Submit
memory/1520-82-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/1520-80-0x00000000041C0000-0x00000000041C2000-memory.dmp

Filesize
8KB

Download
memory/1520-79-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1520-81-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/1520-96-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1520-84-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/1520-83-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1600-138-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1660-75-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1660-58-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/1660-69-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/1660-68-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/1660-78-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/1660-67-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/1660-77-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/1660-55-0x00000000041D0000-0x00000000041D2000-memory.dmp

Filesize
8KB

Download
memory/1660-72-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1660-71-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/1660-54-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1660-56-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/1660-57-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/1660-66-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/1660-59-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/1660-60-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/1660-61-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/1660-62-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/1660-63-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/1660-64-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/1660-65-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/1664-122-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2012-126-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2140-130-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2484-142-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2596-46-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2596-29-0x00000000041B0000-0x00000000041B2000-memory.dmp

Filesize
8KB

Download
memory/2596-28-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2596-51-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2596-52-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/2596-53-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2596-50-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2596-45-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2596-42-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/2596-41-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/2596-40-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/2596-39-0x0000000004130000-0x0000000004132000-memory.dmp

Filesize
8KB

Download
memory/2596-38-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/2596-37-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2596-36-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2596-35-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2596-34-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/2596-33-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2596-32-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2596-31-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/2596-30-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/2948-4-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2948-0-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2948-27-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/2948-26-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/2948-24-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/2948-16-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/2948-18-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x00000000041B0000-0x00000000041B2000-memory.dmp

Filesize
8KB

Download
memory/2948-3-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/2948-2-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/2948-6-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/2948-5-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/2948-44-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2948-7-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2948-8-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2948-9-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/2948-12-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/2948-11-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/2948-10-0x0000000004130000-0x0000000004132000-memory.dmp

Filesize
8KB

Download
memory/3048-134-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download