c935362aadb2a3ffcd0f49a1ffb4ce7f920176653d50d348a5228963a8c7e448

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 00:42

Target

017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe
Size

129KB
MD5

017c442d3b0223d6ff1d4ffb9df66554
SHA1

ef7fe7dca117c6a1e3842d0ccc0f2b876c78ac25
SHA256

c935362aadb2a3ffcd0f49a1ffb4ce7f920176653d50d348a5228963a8c7e448
SHA512

8ce6271e29fbaeadeebb16a44b43a72acd7e2c1258b509c35a0b1dbbc42b8292e79b20d5bfd7e53e6c61d318d01c67b59fc30cae8a0581aa919e956f9469cda5
SSDEEP

3072:iqujQz19o6kq4WRVLM9uk5A6kVd6fIIZ661p:xAAY6kwRZ6B5A6kVd6ftY

Score

7^/10

Deletes itself 1 IoCs

pid	Process
3032	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\helpme.exe	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpme.exe	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Debug\winhlp.dll	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}\ = "url"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32\ = "C:\\Windows\\Debug\\winhlp.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2652	regedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1560	3000	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1560	3000	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1560	3000	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1560	3000	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe	28
PID 3000 wrote to memory of 3032	3000	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe	29
PID 3000 wrote to memory of 3032	3000	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe	29
PID 3000 wrote to memory of 3032	3000	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe	29
PID 3000 wrote to memory of 3032	3000	017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe	29
PID 1560 wrote to memory of 2652	1560	cmd.exe	32
PID 1560 wrote to memory of 2652	1560	cmd.exe	32
PID 1560 wrote to memory of 2652	1560	cmd.exe	32
PID 1560 wrote to memory of 2652	1560	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\wjaw.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\xdsfw.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\017c442d3b0223d6ff1d4ffb9df66554_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:3032

C:\Users\Admin\AppData\Local\Temp\wjaw.bat

Filesize
124B

MD5
9eaf332297c95d0f5525bd93f0535b80

SHA1
dcae53735fb62cbfadae86b9b6678f30526d714b

SHA256
4732f12a6ae955a8ec5ff67e0bf9375af3ab35c6dcc2a3bcc74b987db028565c

SHA512
f4418d7a9bc456922242e6be8caa22738206bbc3a4bcb65d6a32f3e32e624f50ba0058b0cae16495b92c3379eb2ea50194f1ec343ace8188cb2f6a54a2d46f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdsfw.reg

Filesize
402B

MD5
bb338472ef0e2e25a20506b43e2d9d9a

SHA1
b22dd7c9b1d524f771aafc8b0b8a6bdccc8bec30

SHA256
963088b4fb19b383ebc4408b3778ce04b34fd628d24720e8fbe28d8bc2bc3434

SHA512
eb16785a2ea6e16fd8b158284911398796f91d8f5532f367951f54e1379d016ac4e2bb3106102a98d7efd43eee8dde70e49761360f0131e747b6e7fdf42a4843

Download Submit
memory/3000-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-11-0x000000000042D000-0x000000000042E000-memory.dmp

Filesize
4KB

Download
memory/3000-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download