8e50dabdb2317738612998fcc21750ec244e430ab7e669754d83ac6b9f66f627

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 08:35

Target

254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe
Size

630KB
MD5

254c3fe6bfe378135b288c697667c869
SHA1

f28e98d9da3b37925011228aee3fb799946abcab
SHA256

8e50dabdb2317738612998fcc21750ec244e430ab7e669754d83ac6b9f66f627
SHA512

bd69badce4a5bb71ed5aea097be36d9fc09fbe350597a76c20f858682e7047b54bee3a23a2a0e01da37dfaec2192be462973c96be1554baedbcea32af881a0e7
SSDEEP

12288:ZlwS15F7p/tf4rUpBSYp8FCAypb76Iq+5w34t:Zum7pZ4rqxsC/TqKyO

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1344	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\winyouyue.exe	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\winyouyue.exe	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1344	2248	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1344	2248	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1344	2248	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1344	2248	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2340	2248	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2340	2248	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2340	2248	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2340	2248	254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\254c3fe6bfe378135b288c697667c869_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:1344
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2340

C:\Windows\SysWOW64\Deleteme.bat

Filesize
218B

MD5
3fc09adbef18f4c83d10cce61b1e0832

SHA1
0ccf098896c511ed601dbcfaab6ca0f9f0d3dbd1

SHA256
81d42950633a63269d7266f415d68c9b61025d17a3a4c70895bb60555d54d77a

SHA512
598934b911f3130b33b9e0878937e79ee863bf7e0d5a931bbfac8d94f88d0addd9e32bf93ba3fa801ff43646f224ee5b1afaaa3fe02147db88a081927c232e46

Download Submit
memory/2248-0-0x0000000000400000-0x00000000004A4200-memory.dmp

Filesize
656KB

Download
memory/2248-1-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2248-12-0x0000000000400000-0x00000000004A4200-memory.dmp

Filesize
656KB

Download