15ac701297ea25266d66c3a298cb4cf5810fb9e297c03a598881d297b24dc0e4

Analysis

max time kernel
126s
max time network
128s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 19:56

Target

47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe
Size

96KB
MD5

47c66527d0e0890babb7cb5cf87e6eb9
SHA1

d6b01d0897af68591797c40159ae1b878f753333
SHA256

15ac701297ea25266d66c3a298cb4cf5810fb9e297c03a598881d297b24dc0e4
SHA512

d7f047531cee44392463139ee0724065f5954d74eba09467c5ef5253749ee69de122cc4b09c10ab0f643557e12d6d1620632ef0e849e432f3c88beb741547043
SSDEEP

768:/bXecTlj6nkZnV+GAEk5fL6DTl1xr0WzCZtfW10MkkSxq2qiHR:/b/N6nkZV+hEqL6DNr0wAfWiMkkSxq6x

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	2345safe.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe
2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\360safe\2345safe.exe	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe
File created	C:\Program Files\360safe\2345safe.exe	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe
2916	2345safe.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2916	2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2916	2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2916	2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2916	2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2776	2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2776	2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2776	2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2776	2064	47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47c66527d0e0890babb7cb5cf87e6eb9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files\360safe\2345safe.exe
  "C:\Program Files\360safe\2345safe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\a.bat
  2⤵
  - Deletes itself
  PID:2776

C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
100B

MD5
9ad73f6c00fb689065a91fdda38b17e7

SHA1
b5f8c282c76ddf7baf3721e5d0b38195549496cf

SHA256
056bb3be20fa1ae5279530b7915f1c4f8882159f221f51c331cbdcd1af31c49f

SHA512
7f226f89a0923312d245211fe8ea6a809707bc43fdf568ac29c21b2d0a94ac91c062812934976d3746137bacdf0bc4fd3cb2aa411fdce2be9db10fce588f5727

Download Submit
\Program Files\360safe\2345safe.exe

Filesize
96KB

MD5
47c66527d0e0890babb7cb5cf87e6eb9

SHA1
d6b01d0897af68591797c40159ae1b878f753333

SHA256
15ac701297ea25266d66c3a298cb4cf5810fb9e297c03a598881d297b24dc0e4

SHA512
d7f047531cee44392463139ee0724065f5954d74eba09467c5ef5253749ee69de122cc4b09c10ab0f643557e12d6d1620632ef0e849e432f3c88beb741547043

Download Submit