0f6e64f44e50ab9a7237d6552eaf0fe82161d1946e601bf30dd844683f074114

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 13:35

Target

ff6524cc8b1daf4bdbbb77e0902888ad_JaffaCakes118.exe
Size

58KB
MD5

ff6524cc8b1daf4bdbbb77e0902888ad
SHA1

01551c1e74b396f695b73860f810de20c1a286fe
SHA256

0f6e64f44e50ab9a7237d6552eaf0fe82161d1946e601bf30dd844683f074114
SHA512

162ca72786cb89588c7ff7ab58d2d1a686cf2944691b7a38f72b63e279a358746838d0de6146ca93a3ec8c6a469dc54182c4d069fee5148e95b08d28413689bf
SSDEEP

768:vCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWNReOO6:71Tzy48untU8fOMEI3jyYfPiuO6

Score

1^/10

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2300	1536	ff6524cc8b1daf4bdbbb77e0902888ad_JaffaCakes118.exe	86
PID 1536 wrote to memory of 2300	1536	ff6524cc8b1daf4bdbbb77e0902888ad_JaffaCakes118.exe	86
PID 1536 wrote to memory of 2300	1536	ff6524cc8b1daf4bdbbb77e0902888ad_JaffaCakes118.exe	86
PID 2300 wrote to memory of 1448	2300	cmd.exe	87
PID 2300 wrote to memory of 1448	2300	cmd.exe	87
PID 2300 wrote to memory of 1448	2300	cmd.exe	87
PID 1448 wrote to memory of 2580	1448	iexpress.exe	88
PID 1448 wrote to memory of 2580	1448	iexpress.exe	88
PID 1448 wrote to memory of 2580	1448	iexpress.exe	88

C:\Users\Admin\AppData\Local\Temp\ff6524cc8b1daf4bdbbb77e0902888ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff6524cc8b1daf4bdbbb77e0902888ad_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4B13.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\ff6524cc8b1daf4bdbbb77e0902888ad_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      PID:2580

C:\Users\Admin\AppData\Local\Temp\4B13.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
58KB

MD5
79d687c1d71df399aec7836b5d1e190d

SHA1
7c66c080165faaf8b132258c361ebd1f5063b19d

SHA256
b6ee8c42216faff2d263b7b2a666b812971f58f39a50fc9dcafccd2bf35f52ff

SHA512
b6f5a01f5d84de69430fc2a6699ce626306523433766ce2403766305697e6d5a499080b1e434440f748f301f0215ffc64c3f23a3238c681b5435b06a7b1651ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit