c8d17d37874dc64f6f75bd216533e33db282a6a0db0f033902da299796f21b5b

Analysis

max time kernel
140s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 22:41

Target

0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe
Size

6KB
MD5

0b0893adced0f63f8d637a3ec0d059c6
SHA1

c677060f9ff0b6c0eb6cd69c4446960db57ae857
SHA256

c8d17d37874dc64f6f75bd216533e33db282a6a0db0f033902da299796f21b5b
SHA512

d903c477aff3d54e8854e01e226db424e42f92d59f02a3c9691d9b6f536e28be1f0005c2ec623ea6ba136bdb4d5450b10b4ff1951e4f75eebfc69ce411e6d4c0
SSDEEP

96:NR+9Qg4yjLH0K8qx+uVk9ZhFKrupeG2WQSNwO97jM3b2cSTML9MUb:NR+9QF2x+uUZhFZeZmDmSckW9jb

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4588	11

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2336-0-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2336-8-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\11	0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\startx.bat	0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4588	11

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 4588	2336	0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe	80
PID 2336 wrote to memory of 4588	2336	0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe	80
PID 2336 wrote to memory of 4588	2336	0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe	80
PID 2336 wrote to memory of 2848	2336	0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe	81
PID 2336 wrote to memory of 2848	2336	0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe	81
PID 2336 wrote to memory of 2848	2336	0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b0893adced0f63f8d637a3ec0d059c6_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\11
  -i
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Windows\system32\startx.bat"
  2⤵
  PID:2848

C:\Windows\SysWOW64\11

Filesize
10KB

MD5
b35249bb1fa618ea53eac711eaefe68a

SHA1
4a6603067db34d4bb65c992b611d6e00fce6381b

SHA256
a07f0589cbb807562705c9813db5ccba9f2a5815572cc2334a3a6d02329c406e

SHA512
24bb44b17f0dceaf7f92033666d268af52ba1c9d1d782197b83727398c11b5362f26853ec2f593210a0f07032f032ac3f510d21ad37d8f5b1a58dbddf8f4fc34

Download Submit
C:\Windows\SysWOW64\startx.bat

Filesize
277B

MD5
b3a143766e47c6735ab3845d5dd90243

SHA1
8d3195df3e7996b42690b24c9c44f5085f182154

SHA256
b1da536b6da36a5c996063a4d900c9c39dd51f04de19f5bf06db5e571cec54c8

SHA512
367d0a4ec33385fb790c02c9409653e81112ab2bdfc399b188ec30958f42b0d7ab438d89679089b5670f891d777c3ab684144d8d35c55624f2644e42443ab7ca

Download Submit
memory/2336-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2336-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4588-10-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download