96abed35a9bd1eb2af760bd4f98cb2f237b5cfe582e149f91e9e6905cf1e37ba

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 10:15

Target

1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe
Size

67KB
MD5

1ae81daa8a59e5696031330b4dada797
SHA1

2d9cf9d28ef5da2edb1a1076c2b5f5b56efa1e8a
SHA256

96abed35a9bd1eb2af760bd4f98cb2f237b5cfe582e149f91e9e6905cf1e37ba
SHA512

c9e1371b6dc92c6e737c8442a94eda257b99c5f0e6b00d2d9209f1c3057f0f9fd8ef157635c7b166b7cba107ff42e857344f7ce60578f70726c9e0e7e6ab4737
SSDEEP

1536:5r/PqLcQwJblX3zrTBfuzHvxjEItAiaqEx5P/SI:xtBHzr9u7xjMqz

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\20240701101558.exe	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\explorer	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\explorer	cmd.exe
File opened for modification	C:\Windows\SysWOW64\explorer	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2820	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2820	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2820	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2820	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2948	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	29
PID 2896 wrote to memory of 2948	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	29
PID 2896 wrote to memory of 2948	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	29
PID 2896 wrote to memory of 2948	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	29
PID 2896 wrote to memory of 2788	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	32
PID 2896 wrote to memory of 2788	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	32
PID 2896 wrote to memory of 2788	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	32
PID 2896 wrote to memory of 2788	2896	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\copy.bat
  2⤵
  - Drops file in System32 directory
  PID:2820
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer
  2⤵
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\EZC3E58.bat
  2⤵
  - Deletes itself
  PID:2788

C:\Users\Admin\AppData\Local\Temp\EZC3E58.bat

Filesize
399B

MD5
c53b5fa1dddeca65bc504d16d817f1cf

SHA1
698b1379154732abfe39a54609815511b62537fa

SHA256
31cc957634b99e0d6dac24a1edbb9d8e0d3f19f8de3bf10dac48b4b1eaada42d

SHA512
b38a281ee6503f194ece31a52bc02f1e5cbd5c2108888978b479c9f907fb0a4915a3b7efa3fe600bfde0d1507703e92c466ab0d4fa9e46ff38d0d7c71f375616

Download Submit
C:\Users\Admin\AppData\Roaming\copy.bat

Filesize
92B

MD5
b31e28a639a52a0deb54b1ef2a109dcd

SHA1
7789713dc7319acfa7aab39888a6d67b98be353b

SHA256
6b8525fc02941fac770f892f4cdc456118ab91af286765e7dbd01c4fa5c1a818

SHA512
04411db0a0e643931951841a102520bcfbbd81fc6f0b7b4bf3e5e9fef528ee2b43b2b851c0ec869ab3d220e8c64b8087316b999dc6d8d2f062d1fbcd51726ba9

Download Submit
memory/2896-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2896-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download