32deaa44ec679e7d691bee23eda5276ed432b52c5fc3110c78320461b504de12

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe
Size

4.6MB
MD5

2cbf5f9994c5e30a3a7710003c318192
SHA1

2e523c56d99aa416dae376696d8ffe88a9449640
SHA256

32deaa44ec679e7d691bee23eda5276ed432b52c5fc3110c78320461b504de12
SHA512

9083559b50ed00c99abacd9f0f70d4e93d015003b69b3169f1494ee1a30aec76c57096d244e0fdc80df73982d353ff8da9ace9285911630e55622cbfdcef1730
SSDEEP

98304:iZYIE5pcXOBjp1nDYexugNAhcLF7NBCuOl7gmFlMpA0+i3+x:iaIypRBt5Y6uQscLpXA7g4lMpf+Ss

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp

Loads dropped DLL 6 IoCs

pid	Process
1368	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe
2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp
2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp
2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp
2616	RunDll32.exe
2616	RunDll32.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe
2616	RunDll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2684	1368	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe	28
PID 1368 wrote to memory of 2684	1368	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe	28
PID 1368 wrote to memory of 2684	1368	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe	28
PID 1368 wrote to memory of 2684	1368	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe	28
PID 1368 wrote to memory of 2684	1368	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe	28
PID 1368 wrote to memory of 2684	1368	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe	28
PID 1368 wrote to memory of 2684	1368	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe	28
PID 2684 wrote to memory of 2616	2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp	29
PID 2684 wrote to memory of 2616	2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp	29
PID 2684 wrote to memory of 2616	2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp	29
PID 2684 wrote to memory of 2616	2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp	29
PID 2684 wrote to memory of 2616	2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp	29
PID 2684 wrote to memory of 2616	2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp	29
PID 2684 wrote to memory of 2616	2684	2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp	29

C:\Users\Admin\AppData\Local\Temp\2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\is-QADGU.tmp\2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QADGU.tmp\2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp" /SL5="$6014E,4281660,241152,C:\Users\Admin\AppData\Local\Temp\2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\RunDll32.exe
    RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\is-1RIFL.tmp\OCSetupHlp.dll",_OCPRD1236OpenCandy2@16 2684
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-1RIFL.tmp\OCSetupHlp.dll

Filesize
764KB

MD5
55dd7d6073e4d23a0092336e86e15406

SHA1
2ec3ead6bfcc6fb94c147792dc8b4696f1295f31

SHA256
8a93e31606c6ff9c3ea1575885ef9bb41924a156f1ea52506ad68dec220e6144

SHA512
becc3a199e8e4efe368766b5dd8d1d706cb60eaf1f2080022302ff96ca91803ad3756f202805572bd6c86823c516735c9aee1d1982847a0f3a06ed0316bcd166

Download Submit
\Users\Admin\AppData\Local\Temp\is-1RIFL.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QADGU.tmp\2cbf5f9994c5e30a3a7710003c318192_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e70f9b05bca4a76c76055cebaf07d07d

SHA1
28b8ed45ffd4c362ea6c071e756f095c8640d9f8

SHA256
8b11153d3ff1d70850a6bfb690cf301ba6dfc5a8ca7afa3e8e91935f6bfd85cb

SHA512
c1b7706ddf003f7b36b02874a5a1fc88a4a281afd26d365977bc38ee004f22c652719ae9efae74a68186cd7bdecf5de9379f37bb2cc93ed6d3dc28e48ff0ca67

Download Submit
memory/1368-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1368-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1368-25-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2684-8-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2684-26-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download