96abed35a9bd1eb2af760bd4f98cb2f237b5cfe582e149f91e9e6905cf1e37ba

Analysis

max time kernel
142s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 10:15

Target

1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe
Size

67KB
MD5

1ae81daa8a59e5696031330b4dada797
SHA1

2d9cf9d28ef5da2edb1a1076c2b5f5b56efa1e8a
SHA256

96abed35a9bd1eb2af760bd4f98cb2f237b5cfe582e149f91e9e6905cf1e37ba
SHA512

c9e1371b6dc92c6e737c8442a94eda257b99c5f0e6b00d2d9209f1c3057f0f9fd8ef157635c7b166b7cba107ff42e857344f7ce60578f70726c9e0e7e6ab4737
SSDEEP

1536:5r/PqLcQwJblX3zrTBfuzHvxjEItAiaqEx5P/SI:xtBHzr9u7xjMqz

Score

5^/10

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\20240701101611.exe	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\explorer	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\explorer	cmd.exe
File opened for modification	C:\Windows\SysWOW64\explorer	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4776	4964	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	89
PID 4964 wrote to memory of 4776	4964	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	89
PID 4964 wrote to memory of 4776	4964	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	89
PID 4964 wrote to memory of 4304	4964	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	91
PID 4964 wrote to memory of 4304	4964	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	91
PID 4964 wrote to memory of 4304	4964	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	91
PID 4964 wrote to memory of 3280	4964	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	92
PID 4964 wrote to memory of 3280	4964	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	92
PID 4964 wrote to memory of 3280	4964	1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ae81daa8a59e5696031330b4dada797_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\copy.bat
  2⤵
  - Drops file in System32 directory
  PID:4776
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer
  2⤵
  - Modifies registry class
  PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\EZC1E12.bat
  2⤵
  PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\EZC1E12.bat

Filesize
399B

MD5
75cce2da873ba1b56aa202acd0419f4b

SHA1
7ea0661683efa5a8c9ae1c166ae1b07cdbbca256

SHA256
f995b3e9417c27c5bd44028772f94bc4b66422ea49d86ff15b468597f65977b1

SHA512
7ea488fef3c3312c3d1e7b55ed2e592a89f82da50ec687f1c70dca98ef3db4c72fa4d3470c3ba09430124de4835265301730ba57a3ea19a2626c1c740ba2a111

Download Submit
C:\Users\Admin\AppData\Roaming\copy.bat

Filesize
92B

MD5
b31e28a639a52a0deb54b1ef2a109dcd

SHA1
7789713dc7319acfa7aab39888a6d67b98be353b

SHA256
6b8525fc02941fac770f892f4cdc456118ab91af286765e7dbd01c4fa5c1a818

SHA512
04411db0a0e643931951841a102520bcfbbd81fc6f0b7b4bf3e5e9fef528ee2b43b2b851c0ec869ab3d220e8c64b8087316b999dc6d8d2f062d1fbcd51726ba9

Download Submit
memory/4964-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download