551b348e74e6988e846e94e1e78ed11a55ed126db2fce5064474c48a97aa84de

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 02:48

Target

fe40deba34d8636a686a91cbfe03c96f_JaffaCakes118.exe
Size

58KB
MD5

fe40deba34d8636a686a91cbfe03c96f
SHA1

136fca1fa0f4e6736ead7fd47cf06b1a4339165d
SHA256

551b348e74e6988e846e94e1e78ed11a55ed126db2fce5064474c48a97aa84de
SHA512

ae33d7ddacb3c92d4979dda66f7be4384f7df476a509f0b7a6e414691bfcb04b9cfc7408f0d7509377452b49d05d4b5f903be63dc720642fb3a506906bdd5e23
SSDEEP

768:vCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWNReOOm:71Tzy48untU8fOMEI3jyYfPiuOm

Score

1^/10

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1284	2344	fe40deba34d8636a686a91cbfe03c96f_JaffaCakes118.exe	29
PID 2344 wrote to memory of 1284	2344	fe40deba34d8636a686a91cbfe03c96f_JaffaCakes118.exe	29
PID 2344 wrote to memory of 1284	2344	fe40deba34d8636a686a91cbfe03c96f_JaffaCakes118.exe	29
PID 2344 wrote to memory of 1284	2344	fe40deba34d8636a686a91cbfe03c96f_JaffaCakes118.exe	29
PID 1284 wrote to memory of 1700	1284	cmd.exe	30
PID 1284 wrote to memory of 1700	1284	cmd.exe	30
PID 1284 wrote to memory of 1700	1284	cmd.exe	30
PID 1284 wrote to memory of 1700	1284	cmd.exe	30
PID 1700 wrote to memory of 2860	1700	iexpress.exe	31
PID 1700 wrote to memory of 2860	1700	iexpress.exe	31
PID 1700 wrote to memory of 2860	1700	iexpress.exe	31
PID 1700 wrote to memory of 2860	1700	iexpress.exe	31

C:\Users\Admin\AppData\Local\Temp\fe40deba34d8636a686a91cbfe03c96f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe40deba34d8636a686a91cbfe03c96f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\1D22.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\fe40deba34d8636a686a91cbfe03c96f_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      PID:2860

C:\Users\Admin\AppData\Local\Temp\1D22.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
58KB

MD5
f01287e287136c83e062dbf7e4ca170b

SHA1
f30ddf57d1dbc24b36fa4fa9048819d1e4369753

SHA256
66c3f3fa61c03004d9e52a0a5b3e54d9703390ddf55b370cb79df684a607c935

SHA512
534d12a9e3e4af6a1ed6fb4dca7defb4017edfcffce80e95ec1520ffcdce22b7d05f225cc9234d045aa3f535ab8d095a7848701899b34824ac55e43f5ee27cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit