14e7114625ab14c87c326578f24de2fe76189007f097a04c1d65322d2b87802c

Analysis

max time kernel
138s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 13:22

Target

465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe
Size

610KB
MD5

465f06f4687b692cebc19578ab0ab7ef
SHA1

ef8b91d63623d5ee0676a2348bfd143f15a9d7ba
SHA256

14e7114625ab14c87c326578f24de2fe76189007f097a04c1d65322d2b87802c
SHA512

3a270678253af9c7561b6bd08b6295f4a91a87bc1e8362912f2804b5e1a19d814f77d1cfaa176167f229396c383c4dd43b732e0ed59ba07f238dd725cc0c0f64
SSDEEP

12288:UtwL11ukJQ1Uc2AMSKHql4tSSpDHE/fXMco:jJ0KAMdESpDHE/fPo

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1392	465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe
1084	465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe
4372	465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1084	1392	465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe	91
PID 1392 wrote to memory of 1084	1392	465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe	91
PID 1392 wrote to memory of 1084	1392	465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe	91
PID 1392 wrote to memory of 4372	1392	465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe	92
PID 1392 wrote to memory of 4372	1392	465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe	92
PID 1392 wrote to memory of 4372	1392	465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe
  start
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\465f06f4687b692cebc19578ab0ab7ef_JaffaCakes118.exe
  watch
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
1⤵
PID:2708

memory/1084-10-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1084-6-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1084-8-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1084-12-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1392-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1392-2-0x000000000046C000-0x000000000046E000-memory.dmp

Filesize
8KB

Download
memory/1392-4-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1392-3-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1392-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4372-7-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4372-9-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4372-11-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4372-14-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download