a5119f61191f2c33a7c6d604c7fdecbf58a8d765ab3b966774e3cf0f1378cfdf

Analysis

max time kernel
148s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe
Size

700KB
MD5

25126c6b35332e0009b2589cfcacd10a
SHA1

fa39718357ef2f9ff91f89f0e53144e4d7d531cc
SHA256

a5119f61191f2c33a7c6d604c7fdecbf58a8d765ab3b966774e3cf0f1378cfdf
SHA512

e8e49e3a296bf329772bc70c8f03d5a473ab32fb97282263ba280bfdfbe4bfc9e64a2bf81e1bc932149cb2884e3cb76031cfa61b06b6d1c2227d1e573c7d2336
SSDEEP

12288:EJxEpYJi/QphJGnDx0dc3lOkTQQdjJfbVBHGeN:wxvyQph8nt0UL1bVdN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
1016	agl25.exe
1652	agl25.exe
2696	agl25.exe
4964	agl25.exe
3668	agl25.exe
3688	agl25.exe
3920	agl25.exe
4400	agl25.exe
2760	agl25.exe
392	agl25.exe
4884	agl25.exe
4844	agl25.exe
4420	agl25.exe
3396	agl25.exe
2388	agl25.exe
2732	agl25.exe
4012	agl25.exe
2908	agl25.exe
1964	agl25.exe
3640	agl25.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File opened for modification	C:\Windows\SysWOW64\agl25.exe	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File opened for modification	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File created	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File opened for modification	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File opened for modification	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File opened for modification	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File created	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File opened for modification	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File created	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File created	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File created	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File opened for modification	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File created	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File created	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File opened for modification	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File created	C:\Windows\SysWOW64\agl25.exe	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File created	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File opened for modification	C:\Windows\SysWOW64\agl25.exe	agl25.exe
File created	C:\Windows\SysWOW64\agl25.exe	agl25.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 648 set thread context of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 1016 set thread context of 1652	1016	agl25.exe	83
PID 2696 set thread context of 4964	2696	agl25.exe	92
PID 3668 set thread context of 3688	3668	agl25.exe	95
PID 3920 set thread context of 4400	3920	agl25.exe	98
PID 2760 set thread context of 392	2760	agl25.exe	100
PID 4884 set thread context of 4844	4884	agl25.exe	102
PID 4420 set thread context of 3396	4420	agl25.exe	104
PID 2388 set thread context of 2732	2388	agl25.exe	106
PID 4012 set thread context of 2908	4012	agl25.exe	108
PID 1964 set thread context of 3640	1964	agl25.exe	110

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe
1016	agl25.exe
2696	agl25.exe
3668	agl25.exe
3920	agl25.exe
2760	agl25.exe
4884	agl25.exe
4420	agl25.exe
2388	agl25.exe
4012	agl25.exe
1964	agl25.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 648 wrote to memory of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 648 wrote to memory of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 648 wrote to memory of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 648 wrote to memory of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 648 wrote to memory of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 648 wrote to memory of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 648 wrote to memory of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 648 wrote to memory of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 648 wrote to memory of 1124	648	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	81
PID 1124 wrote to memory of 1016	1124	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	82
PID 1124 wrote to memory of 1016	1124	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	82
PID 1124 wrote to memory of 1016	1124	25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe	82
PID 1016 wrote to memory of 1652	1016	agl25.exe	83
PID 1016 wrote to memory of 1652	1016	agl25.exe	83
PID 1016 wrote to memory of 1652	1016	agl25.exe	83
PID 1016 wrote to memory of 1652	1016	agl25.exe	83
PID 1016 wrote to memory of 1652	1016	agl25.exe	83
PID 1016 wrote to memory of 1652	1016	agl25.exe	83
PID 1016 wrote to memory of 1652	1016	agl25.exe	83
PID 1016 wrote to memory of 1652	1016	agl25.exe	83
PID 1016 wrote to memory of 1652	1016	agl25.exe	83
PID 1016 wrote to memory of 1652	1016	agl25.exe	83
PID 1652 wrote to memory of 2696	1652	agl25.exe	91
PID 1652 wrote to memory of 2696	1652	agl25.exe	91
PID 1652 wrote to memory of 2696	1652	agl25.exe	91
PID 2696 wrote to memory of 4964	2696	agl25.exe	92
PID 2696 wrote to memory of 4964	2696	agl25.exe	92
PID 2696 wrote to memory of 4964	2696	agl25.exe	92
PID 2696 wrote to memory of 4964	2696	agl25.exe	92
PID 2696 wrote to memory of 4964	2696	agl25.exe	92
PID 2696 wrote to memory of 4964	2696	agl25.exe	92
PID 2696 wrote to memory of 4964	2696	agl25.exe	92
PID 2696 wrote to memory of 4964	2696	agl25.exe	92
PID 2696 wrote to memory of 4964	2696	agl25.exe	92
PID 2696 wrote to memory of 4964	2696	agl25.exe	92
PID 4964 wrote to memory of 3668	4964	agl25.exe	94
PID 4964 wrote to memory of 3668	4964	agl25.exe	94
PID 4964 wrote to memory of 3668	4964	agl25.exe	94
PID 3668 wrote to memory of 3688	3668	agl25.exe	95
PID 3668 wrote to memory of 3688	3668	agl25.exe	95
PID 3668 wrote to memory of 3688	3668	agl25.exe	95
PID 3668 wrote to memory of 3688	3668	agl25.exe	95
PID 3668 wrote to memory of 3688	3668	agl25.exe	95
PID 3668 wrote to memory of 3688	3668	agl25.exe	95
PID 3668 wrote to memory of 3688	3668	agl25.exe	95
PID 3668 wrote to memory of 3688	3668	agl25.exe	95
PID 3668 wrote to memory of 3688	3668	agl25.exe	95
PID 3668 wrote to memory of 3688	3668	agl25.exe	95
PID 3688 wrote to memory of 3920	3688	agl25.exe	97
PID 3688 wrote to memory of 3920	3688	agl25.exe	97
PID 3688 wrote to memory of 3920	3688	agl25.exe	97
PID 3920 wrote to memory of 4400	3920	agl25.exe	98
PID 3920 wrote to memory of 4400	3920	agl25.exe	98
PID 3920 wrote to memory of 4400	3920	agl25.exe	98
PID 3920 wrote to memory of 4400	3920	agl25.exe	98
PID 3920 wrote to memory of 4400	3920	agl25.exe	98
PID 3920 wrote to memory of 4400	3920	agl25.exe	98
PID 3920 wrote to memory of 4400	3920	agl25.exe	98
PID 3920 wrote to memory of 4400	3920	agl25.exe	98
PID 3920 wrote to memory of 4400	3920	agl25.exe	98
PID 3920 wrote to memory of 4400	3920	agl25.exe	98
PID 4400 wrote to memory of 2760	4400	agl25.exe	99
PID 4400 wrote to memory of 2760	4400	agl25.exe	99

C:\Users\Admin\AppData\Local\Temp\25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\agl25.exe
    C:\Windows\system32\agl25.exe 1004 "C:\Users\Admin\AppData\Local\Temp\25126c6b35332e0009b2589cfcacd10a_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\SysWOW64\agl25.exe
      C:\Windows\SysWOW64\agl25.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\system32\agl25.exe 1148 "C:\Windows\SysWOW64\agl25.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\SysWOW64\agl25.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\system32\agl25.exe 1120 "C:\Windows\SysWOW64\agl25.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\SysWOW64\agl25.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\system32\agl25.exe 1120 "C:\Windows\SysWOW64\agl25.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\SysWOW64\agl25.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\system32\agl25.exe 1120 "C:\Windows\SysWOW64\agl25.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\SysWOW64\agl25.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\system32\agl25.exe 1120 "C:\Windows\SysWOW64\agl25.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4884
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\SysWOW64\agl25.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\system32\agl25.exe 1120 "C:\Windows\SysWOW64\agl25.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4420
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\SysWOW64\agl25.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\system32\agl25.exe 1120 "C:\Windows\SysWOW64\agl25.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\SysWOW64\agl25.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\system32\agl25.exe 1136 "C:\Windows\SysWOW64\agl25.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4012
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\SysWOW64\agl25.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\system32\agl25.exe 1124 "C:\Windows\SysWOW64\agl25.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\agl25.exe
        
        C:\Windows\SysWOW64\agl25.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\agl25.exe

Filesize
700KB

MD5
25126c6b35332e0009b2589cfcacd10a

SHA1
fa39718357ef2f9ff91f89f0e53144e4d7d531cc

SHA256
a5119f61191f2c33a7c6d604c7fdecbf58a8d765ab3b966774e3cf0f1378cfdf

SHA512
e8e49e3a296bf329772bc70c8f03d5a473ab32fb97282263ba280bfdfbe4bfc9e64a2bf81e1bc932149cb2884e3cb76031cfa61b06b6d1c2227d1e573c7d2336

Download Submit
memory/392-58-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1124-4-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1124-5-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1124-21-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1124-2-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1652-18-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1652-22-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2732-85-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2908-94-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3396-76-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3640-103-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3688-40-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4400-49-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4844-67-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4964-31-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download