5783405e49c737b41865b998c9fbe53ff94638154d1dff1606d072e4f438907d

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 18:38

Target

0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe
Size

43KB
MD5

0f1eaa070d18d788d23faa69be205bba
SHA1

b827f9625a15c1a8dd92475c9f6d8c62af3f97dc
SHA256

5783405e49c737b41865b998c9fbe53ff94638154d1dff1606d072e4f438907d
SHA512

b1f01d0de24873e3610db3d724ac1c8d88b646e0750609ee42da25aa9255c7efc1c8648ea8409f7b75512ffae246552ef8a153198fc9f6e866084784a0f27c69
SSDEEP

768:9IjDfS2B0zqCq0u0VsQnAz3N//zUjackFCDYJ3aKXQEpdJiD4q:9GbS2fN0VsQATV/zJFCg3pXQ8ris

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
340	dwdkzufi.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe
2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 340	2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe	31
PID 2400 wrote to memory of 340	2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe	31
PID 2400 wrote to memory of 340	2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe	31
PID 2400 wrote to memory of 340	2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe	31
PID 2400 wrote to memory of 1716	2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1716	2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1716	2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1716	2400	0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f1eaa070d18d788d23faa69be205bba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2400
- C:\ProgramData\hsvkpkja\dwdkzufi.exe
  C:\ProgramData\hsvkpkja\dwdkzufi.exe
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Windows\SysWOW64\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\0F1EAA~1.EXE.bak >> NUL
  2⤵
  - Deletes itself
  PID:1716

C:\ProgramData\hsvkpkja\dwdkzufi.exe

Filesize
43KB

MD5
0f1eaa070d18d788d23faa69be205bba

SHA1
b827f9625a15c1a8dd92475c9f6d8c62af3f97dc

SHA256
5783405e49c737b41865b998c9fbe53ff94638154d1dff1606d072e4f438907d

SHA512
b1f01d0de24873e3610db3d724ac1c8d88b646e0750609ee42da25aa9255c7efc1c8648ea8409f7b75512ffae246552ef8a153198fc9f6e866084784a0f27c69

Download Submit
memory/2400-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download