e3b2c59b2b0cb1efbca1f1fa92e6d61d1f88984a55a18473d7c58f407dc82caf

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 18:42

Target

1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe
Size

94KB
MD5

1c17dc9a4270136d6b7f34f4e9ce408e
SHA1

e05a3b3d69bcb4aebde01bdb83d055052c7eeccc
SHA256

e3b2c59b2b0cb1efbca1f1fa92e6d61d1f88984a55a18473d7c58f407dc82caf
SHA512

9b72410467b29ec1334308e1cdf11c3acdb0889fd571c68b4bf1e5a80ee3439c54a30a1784de311411ca50de5876ebd6fac61337321da56048b5b44838e3f652
SSDEEP

1536:34of6vPybPojAfQL/SYioy/xdz3S/z4wmq/QEF9AS7mWdW4/TVhoyDEMl3eXcQTA:IlvPypfa/S937q87MKSyT4/Trh2tTeOS

Score

7^/10

Executes dropped EXE 3 IoCs

Loads dropped DLL 2 IoCs

pid	Process
2244	1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe
2244	1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\winhelp.exe	1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\winhelp32.exe	1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2180	2244	1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2180	2244	1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2180	2244	1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2180	2244	1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c17dc9a4270136d6b7f34f4e9ce408e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2244
- \??\c:\windows\SysWOW64\winhelp.exe
  c:\windows\system32\winhelp.exe /i
  2⤵
  - Executes dropped EXE
  PID:2180

C:\Windows\SysWOW64\winhelp.exe
C:\Windows\SysWOW64\winhelp.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\SysWOW64\winhelp32.exe
C:\Windows\SysWOW64\winhelp32.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\SysWOW64\winhelp32.exe

Filesize
101KB

MD5
0207b12c72e0abf2e95526f194b05da3

SHA1
e2a4efd653d12703f1284a806c58d32190cb60f3

SHA256
8df609a24039e4ea329075174f73f65344f18c2cb599b69546e1e5530f5408e4

SHA512
3179d8c96c7d2c0a57a9f194b8ff906702c6584225689790dd2ae5d4d6e50f14f2ae74e4cd8e2ee1a538533079779973e01918f3a7e147860081959f3da555b8

Download Submit
\Windows\SysWOW64\winhelp.exe

Filesize
140KB

MD5
2d510d07b348eb6e6c68d9af24e44c05

SHA1
931a552859e6116aa58444c574ad9fc8fc381031

SHA256
d27d93d40ad293db3f9c421198d8cae24b7d030b9ad3bc4287eac60093770370

SHA512
005b8635aff46da0c1d7fae41591a948baefdd6173a00549b1de48db92977d0f29b54a13addc0e1876128368f10d0fa3eeb58f1eaff0d8b2db2c750f13b38675

Download Submit
memory/2180-11-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2216-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2876-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download