c88438cc457c12e562c36a93b2dc2ac7eda1715d4d50d20f4b5c2af6e8518e23

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 18:46

Target

0a3799738e9907da1d783f13025853db_JaffaCakes118.exe
Size

22KB
MD5

0a3799738e9907da1d783f13025853db
SHA1

386dc52314d0036de6cd6d73edeb13c0bedc9ce1
SHA256

c88438cc457c12e562c36a93b2dc2ac7eda1715d4d50d20f4b5c2af6e8518e23
SHA512

08b4d0046db58633fbd2446d4b7898778226e0c8dfc5395cb21f91e172d11a79166a317ca80c1181039430f29bd630c1895fc893d7bf2473a0552a04c4ab14d0
SSDEEP

384:ipgxN7Kd/fGl0eO4RaRGDDNIeYqe4qvJGu3bqT5JwwV0dw1jOqtm:egxN7KFGyathvG93EAwV0danm

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2552-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/2552-20-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1001.ocx	0a3799738e9907da1d783f13025853db_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\1001.ocx	0a3799738e9907da1d783f13025853db_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dragonnest01.ocx	0a3799738e9907da1d783f13025853db_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dragonnest01.ocx	0a3799738e9907da1d783f13025853db_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\system.ini	0a3799738e9907da1d783f13025853db_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\New.dll	0a3799738e9907da1d783f13025853db_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\New.dll	0a3799738e9907da1d783f13025853db_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2936	2552	0a3799738e9907da1d783f13025853db_JaffaCakes118.exe	80
PID 2552 wrote to memory of 2936	2552	0a3799738e9907da1d783f13025853db_JaffaCakes118.exe	80
PID 2552 wrote to memory of 2936	2552	0a3799738e9907da1d783f13025853db_JaffaCakes118.exe	80

C:\Users\Admin\AppData\Local\Temp\0a3799738e9907da1d783f13025853db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a3799738e9907da1d783f13025853db_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dragonnest.bat
  2⤵
  PID:2936

C:\Users\Admin\AppData\Local\Temp\dragonnest.bat

Filesize
1024B

MD5
bb06f50979239b9d67d5e64de464192f

SHA1
33abe0c12e273c54da736cff4b6fbe83cb948aba

SHA256
9d9af30bae52490608fbd63aca1f51fa60d930146d87d162d906b292faa66fd9

SHA512
4c0c01c1a59b80ad41d9dc5483b27cd4a764d4ced30f87699b98381b34020262d429ca79473cec69108000367230977045b910f631cd96dbb62c47adfe39689b

Download Submit
memory/2552-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download