52fbbabb0dedb072dcce16af639827de6a377d3fd48df571be9528fb294f3786

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

245931588f1218f9cd72ee489836983a_JaffaCakes118.exe
Size

172KB
MD5

245931588f1218f9cd72ee489836983a
SHA1

a3b3aa0c51b11e219ad2771fe9dbcef3744c2941
SHA256

52fbbabb0dedb072dcce16af639827de6a377d3fd48df571be9528fb294f3786
SHA512

d10c5640b6aaabccc92577cc6ecb1c4247d7167ba429e0a04cc44356ff56289775c9dec65724e294292283a64832cd409797f42502e6eabbf18a56a4d06ef201
SSDEEP

3072:58sHCMzHUdKuYtiywECUdB3m/MpgJObYcUQNyPJ1bI2o+gpg8iyVIiwlh/n:RCM0c/EUdB3megd0Y1k2opuGEhf

Score

1^/10

Malware Config

Signatures

Suspicious behavior: RenamesItself 19 IoCs

pid	Process
3780	245931588f1218f9cd72ee489836983a_JaffaCakes118.exe
2996	oqntqz.exe
3452	iczyzaseim.exe
4016	kzof.exe
5008	rwmelcmrusn.exe
1648	pwkomnzx.exe
4636	hdlig.exe
4856	nstreoeuz.exe
2912	tpkrwxbdt.exe
3472	kskzh.exe
2572	zhnpxvhxh.exe
3148	yjqwieakdcjtj.exe
1556	etnecccbo.exe
1624	ahmmhv.exe
1144	lbhlkxqaxcvu.exe
3376	ljllixook.exe
344	rvlhhorhrq.exe
2448	fbvnbq.exe
5104	jjtnugwit.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 2996	3780	245931588f1218f9cd72ee489836983a_JaffaCakes118.exe	83
PID 3780 wrote to memory of 2996	3780	245931588f1218f9cd72ee489836983a_JaffaCakes118.exe	83
PID 3780 wrote to memory of 2996	3780	245931588f1218f9cd72ee489836983a_JaffaCakes118.exe	83
PID 2996 wrote to memory of 3452	2996	oqntqz.exe	89
PID 2996 wrote to memory of 3452	2996	oqntqz.exe	89
PID 2996 wrote to memory of 3452	2996	oqntqz.exe	89
PID 3452 wrote to memory of 4016	3452	iczyzaseim.exe	90
PID 3452 wrote to memory of 4016	3452	iczyzaseim.exe	90
PID 3452 wrote to memory of 4016	3452	iczyzaseim.exe	90
PID 4016 wrote to memory of 5008	4016	kzof.exe	91
PID 4016 wrote to memory of 5008	4016	kzof.exe	91
PID 4016 wrote to memory of 5008	4016	kzof.exe	91
PID 5008 wrote to memory of 1648	5008	rwmelcmrusn.exe	94
PID 5008 wrote to memory of 1648	5008	rwmelcmrusn.exe	94
PID 5008 wrote to memory of 1648	5008	rwmelcmrusn.exe	94
PID 1648 wrote to memory of 4636	1648	pwkomnzx.exe	95
PID 1648 wrote to memory of 4636	1648	pwkomnzx.exe	95
PID 1648 wrote to memory of 4636	1648	pwkomnzx.exe	95
PID 4636 wrote to memory of 4856	4636	hdlig.exe	96
PID 4636 wrote to memory of 4856	4636	hdlig.exe	96
PID 4636 wrote to memory of 4856	4636	hdlig.exe	96
PID 4856 wrote to memory of 2912	4856	nstreoeuz.exe	97
PID 4856 wrote to memory of 2912	4856	nstreoeuz.exe	97
PID 4856 wrote to memory of 2912	4856	nstreoeuz.exe	97
PID 2912 wrote to memory of 3472	2912	tpkrwxbdt.exe	98
PID 2912 wrote to memory of 3472	2912	tpkrwxbdt.exe	98
PID 2912 wrote to memory of 3472	2912	tpkrwxbdt.exe	98
PID 3472 wrote to memory of 2572	3472	kskzh.exe	99
PID 3472 wrote to memory of 2572	3472	kskzh.exe	99
PID 3472 wrote to memory of 2572	3472	kskzh.exe	99
PID 2572 wrote to memory of 3148	2572	zhnpxvhxh.exe	100
PID 2572 wrote to memory of 3148	2572	zhnpxvhxh.exe	100
PID 2572 wrote to memory of 3148	2572	zhnpxvhxh.exe	100
PID 3148 wrote to memory of 1556	3148	yjqwieakdcjtj.exe	101
PID 3148 wrote to memory of 1556	3148	yjqwieakdcjtj.exe	101
PID 3148 wrote to memory of 1556	3148	yjqwieakdcjtj.exe	101
PID 1556 wrote to memory of 1624	1556	etnecccbo.exe	102
PID 1556 wrote to memory of 1624	1556	etnecccbo.exe	102
PID 1556 wrote to memory of 1624	1556	etnecccbo.exe	102
PID 1624 wrote to memory of 1144	1624	ahmmhv.exe	103
PID 1624 wrote to memory of 1144	1624	ahmmhv.exe	103
PID 1624 wrote to memory of 1144	1624	ahmmhv.exe	103
PID 1144 wrote to memory of 3376	1144	lbhlkxqaxcvu.exe	104
PID 1144 wrote to memory of 3376	1144	lbhlkxqaxcvu.exe	104
PID 1144 wrote to memory of 3376	1144	lbhlkxqaxcvu.exe	104
PID 3376 wrote to memory of 344	3376	ljllixook.exe	105
PID 3376 wrote to memory of 344	3376	ljllixook.exe	105
PID 3376 wrote to memory of 344	3376	ljllixook.exe	105
PID 344 wrote to memory of 2448	344	rvlhhorhrq.exe	106
PID 344 wrote to memory of 2448	344	rvlhhorhrq.exe	106
PID 344 wrote to memory of 2448	344	rvlhhorhrq.exe	106
PID 2448 wrote to memory of 912	2448	fbvnbq.exe	107
PID 2448 wrote to memory of 912	2448	fbvnbq.exe	107
PID 2448 wrote to memory of 912	2448	fbvnbq.exe	107
PID 5104 wrote to memory of 4716	5104	jjtnugwit.exe	109
PID 5104 wrote to memory of 4716	5104	jjtnugwit.exe	109
PID 5104 wrote to memory of 4716	5104	jjtnugwit.exe	109

C:\Users\Admin\AppData\Local\Temp\245931588f1218f9cd72ee489836983a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\245931588f1218f9cd72ee489836983a_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\SysWOW64\oqntqz.exe
  C:\Windows\system32\oqntqz.exe
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\iczyzaseim.exe
    C:\Windows\system32\iczyzaseim.exe
    3⤵
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\SysWOW64\kzof.exe
      C:\Windows\system32\kzof.exe
      4⤵
      Suspicious behavior: RenamesItself
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\SysWOW64\rwmelcmrusn.exe
        
        C:\Windows\system32\rwmelcmrusn.exe
        5⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Windows\SysWOW64\pwkomnzx.exe
        
        C:\Windows\system32\pwkomnzx.exe
        6⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\hdlig.exe
        
        C:\Windows\system32\hdlig.exe
        7⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\nstreoeuz.exe
        
        C:\Windows\system32\nstreoeuz.exe
        8⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\tpkrwxbdt.exe
        
        C:\Windows\system32\tpkrwxbdt.exe
        9⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\kskzh.exe
        
        C:\Windows\system32\kskzh.exe
        10⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\zhnpxvhxh.exe
        
        C:\Windows\system32\zhnpxvhxh.exe
        11⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\yjqwieakdcjtj.exe
        
        C:\Windows\system32\yjqwieakdcjtj.exe
        12⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\etnecccbo.exe
        
        C:\Windows\system32\etnecccbo.exe
        13⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\ahmmhv.exe
        
        C:\Windows\system32\ahmmhv.exe
        14⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\lbhlkxqaxcvu.exe
        
        C:\Windows\system32\lbhlkxqaxcvu.exe
        15⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\ljllixook.exe
        
        C:\Windows\system32\ljllixook.exe
        16⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\rvlhhorhrq.exe
        
        C:\Windows\system32\rvlhhorhrq.exe
        17⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\fbvnbq.exe
        
        C:\Windows\system32\fbvnbq.exe
        18⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\ndtotwiez.exe
        
        C:\Windows\system32\ndtotwiez.exe
        19⤵
        
        PID:912
        
        C:\Windows\SysWOW64\jjtnugwit.exe
        
        C:\Windows\system32\jjtnugwit.exe
        20⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\fbcmeolyian.exe
        
        C:\Windows\system32\fbcmeolyian.exe
        21⤵
        
        PID:4716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/912-68-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1144-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1556-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1624-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1648-42-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-66-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2572-52-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2912-48-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-15-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/2996-18-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2996-17-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/2996-16-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/2996-32-0x00000000038A0000-0x00000000038BE000-memory.dmp

Filesize
120KB

Download
memory/2996-14-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/2996-13-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/2996-12-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/2996-11-0x00000000038A0000-0x00000000038BE000-memory.dmp

Filesize
120KB

Download
memory/2996-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3148-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3376-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3452-28-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/3452-29-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/3452-27-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/3452-26-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/3452-25-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/3452-24-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/3452-23-0x0000000003880000-0x000000000389E000-memory.dmp

Filesize
120KB

Download
memory/3452-30-0x00000000038B0000-0x00000000038B1000-memory.dmp

Filesize
4KB

Download
memory/3452-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3452-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3452-36-0x0000000003880000-0x000000000389E000-memory.dmp

Filesize
120KB

Download
memory/3472-50-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3780-21-0x0000000000470000-0x000000000048E000-memory.dmp

Filesize
120KB

Download
memory/3780-5-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/3780-8-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3780-7-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/3780-6-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/3780-4-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/3780-3-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/3780-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3780-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3780-1-0x0000000000470000-0x000000000048E000-memory.dmp

Filesize
120KB

Download
memory/3780-2-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/4016-34-0x0000000000580000-0x000000000059E000-memory.dmp

Filesize
120KB

Download
memory/4016-39-0x0000000000580000-0x000000000059E000-memory.dmp

Filesize
120KB

Download
memory/4016-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4636-44-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4856-46-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5008-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads