6b14ff4bb42c1b60d5d505aa2e7f9d805d6743a963f49312da73cf7e94efd864

Analysis

max time kernel
146s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 18:01

Target

0f03b5a65699ee04027bc35ca30f92ad_JaffaCakes118.exe
Size

413KB
MD5

0f03b5a65699ee04027bc35ca30f92ad
SHA1

4f8ff6c79daa7d0849531b150e618228a9c1b488
SHA256

6b14ff4bb42c1b60d5d505aa2e7f9d805d6743a963f49312da73cf7e94efd864
SHA512

5b2ba4fb1b2c6c03b5f2c4b6b25f8dc91960032c2552e6b0ed46397867888cfa9c62f7828dce6be857341e0858d7339d829c018cf8f57f3e9ba50e64044ebcd9
SSDEEP

6144:Rk9FuylMDJqUxAjzBWkfSOBlWWRmGwL4QQgKKX8x7/2xWqWma2XDzHPt281tTE:G9FuyeJqn8pOjWtGNgDUiWqWNKDrt2wE

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2792	NX.exe
1852	NXShell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NXShell.exe	NX.exe
File opened for modification	C:\Windows\SysWOW64\NXShell.exe	NX.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 536	2856	0f03b5a65699ee04027bc35ca30f92ad_JaffaCakes118.exe	88
PID 2856 wrote to memory of 536	2856	0f03b5a65699ee04027bc35ca30f92ad_JaffaCakes118.exe	88
PID 2856 wrote to memory of 536	2856	0f03b5a65699ee04027bc35ca30f92ad_JaffaCakes118.exe	88
PID 536 wrote to memory of 2792	536	cmd.exe	90
PID 536 wrote to memory of 2792	536	cmd.exe	90
PID 536 wrote to memory of 2792	536	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\0f03b5a65699ee04027bc35ca30f92ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f03b5a65699ee04027bc35ca30f92ad_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt7713.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\NX.exe
    nx.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2792

C:\Windows\SysWOW64\NXShell.exe
C:\Windows\SysWOW64\NXShell.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1304,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
1⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\NX.exe

Filesize
18KB

MD5
6a3d4610199539ef5e53178d66fd0903

SHA1
6dd05da8904f1efc0924bfa437259777d598e9f9

SHA256
b6f395431946e1f093a01c1cb59e4915e48a6295d6c9693321560481fa65da9c

SHA512
6b7dc052ec73252f501972de2d5c40163491fcb3fd9c3af2fb4d3161c1f6f56c77e82700bf222895355cc260fb92ecc1b3551d2a9c490d59613d0bc4deb80b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt7713.bat

Filesize
8B

MD5
65ad41799b06cefac0a0446e5470615e

SHA1
4b980854e946865aff1c02a4a950a0de7efbbdd9

SHA256
f8f0441c1b7418b93a337a12799a0d4a13ca29f6ddd01fbfa403909d2a3f7ddb

SHA512
133a3b00975c984b1c350e1dc60537395b913cb31b84b2a39e610f4e23be5134d8aef55977b856c24e67e5f3f05a138ad990df4d9f8aae0fc8da9b6245d1eb1a

Download Submit
memory/2856-0-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2856-1-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2856-13-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download