9759970fcaa707e6390e525ca8bb351019d447a21d1d63a7564b0b5f1f1533e5

Analysis

max time kernel
3s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 15:53

Target

0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe
Size

248KB
MD5

0ea725381f427e42f6e8e713c3306bbe
SHA1

5d29fb498382db9939b145a969ffc351b0c7b5ca
SHA256

9759970fcaa707e6390e525ca8bb351019d447a21d1d63a7564b0b5f1f1533e5
SHA512

06b39c2562427711c328d3f1ba35465206e9019070850e722e9f43079adb9a58253745799270e5bb100db956c981e3aa8e9f921213722ce265a537c4bc69f7be
SSDEEP

3072:VY+rqkMLmSRU/p753rnSAB3bYE4Hs3r+m8KN6RY8DS0r8dVlJ+dVkShPQUjJeVcp:VTMJy/D3rnBTRKm/ODxQDlQdFJ

Score

7^/10

upx

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4456-2-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/4456-4-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/4456-5-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/4456-6-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral2/memory/4456-7-0x0000000000400000-0x0000000000485000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3644 set thread context of 4456	3644	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe	81

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3644	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe
4456	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4456	3644	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe	81
PID 3644 wrote to memory of 4456	3644	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe	81
PID 3644 wrote to memory of 4456	3644	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe	81
PID 3644 wrote to memory of 4456	3644	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe	81
PID 3644 wrote to memory of 4456	3644	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe	81
PID 3644 wrote to memory of 4456	3644	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe	81
PID 3644 wrote to memory of 4456	3644	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe	81
PID 3644 wrote to memory of 4456	3644	0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Local\Temp\0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0ea725381f427e42f6e8e713c3306bbe_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4456

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2556

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4940

memory/4456-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4456-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4456-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4456-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4456-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4456-16-0x00007FFBB3630000-0x00007FFBB36B3000-memory.dmp

Filesize
524KB

Download