6638c000d21082f0264e8ac0d93c90398ad377eeda0a9ab120661c9dd51ee844

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 18:52

Target

25decf8fa867a62416931d6720c30266_JaffaCakes118.exe
Size

57KB
MD5

25decf8fa867a62416931d6720c30266
SHA1

2fab333f75e1c5e82bdad67e37b1f1523e92c8d1
SHA256

6638c000d21082f0264e8ac0d93c90398ad377eeda0a9ab120661c9dd51ee844
SHA512

2c8deea7a1f062ac20c8a17136d7d86f97786d3fe726bb943616ccc168aa08812b83bb46a4855dc3aadb7b55a0a8de1d28ec05683dde821fa44be5c84fd98994
SSDEEP

384:zn9bzpLuObkiCtOnDJYxV8ztfyXUtr+jEkBEyy8mOckpRH6MUyfU1jwu:pzpLuObsMnlB+jEkNpmOXJTUyc

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1048	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2008	conime.exe
2560	conime.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe
2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\conime.exe	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe
File opened for modification	C:\Windows\system\conime.exe	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe
2560	conime.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2008	2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2008	2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2008	2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2008	2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe	28
PID 2160 wrote to memory of 1048	2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe	29
PID 2160 wrote to memory of 1048	2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe	29
PID 2160 wrote to memory of 1048	2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe	29
PID 2160 wrote to memory of 1048	2160	25decf8fa867a62416931d6720c30266_JaffaCakes118.exe	29
PID 2008 wrote to memory of 2560	2008	conime.exe	33
PID 2008 wrote to memory of 2560	2008	conime.exe	33
PID 2008 wrote to memory of 2560	2008	conime.exe	33
PID 2008 wrote to memory of 2560	2008	conime.exe	33

C:\Users\Admin\AppData\Local\Temp\25decf8fa867a62416931d6720c30266_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25decf8fa867a62416931d6720c30266_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\system\conime.exe
  C:\Windows\system\conime.exe /sleepDown
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system\conime.exe
    C:\Windows\system\conime.exe /wormadd "\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\25decf8fa867a62416931d6720c30266_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:1048

C:\Users\Admin\AppData\Local\Temp\25decf8fa867a62416931d6720c30266_JaffaCakes118.exe.bat

Filesize
212B

MD5
f3ff7be902f9d6faa2e158303a12e194

SHA1
f97a086cfc5280d3e3847d54d796ae7ba0a1a9c5

SHA256
7a57cfb09bceac04f9aa726ffe3ecef82a58d550a92a847006341520f6d77fce

SHA512
67fcd3e3b328ce0c62ebed86a5e4e4dc3eaf8ecc460ac457a33e15b038a43c1dc62ca1bb3e651bc53cb6807e91a12fcda1ab509d683885bedcf09b66e4f3e2a8

Download Submit
\Windows\system\conime.exe

Filesize
57KB

MD5
25decf8fa867a62416931d6720c30266

SHA1
2fab333f75e1c5e82bdad67e37b1f1523e92c8d1

SHA256
6638c000d21082f0264e8ac0d93c90398ad377eeda0a9ab120661c9dd51ee844

SHA512
2c8deea7a1f062ac20c8a17136d7d86f97786d3fe726bb943616ccc168aa08812b83bb46a4855dc3aadb7b55a0a8de1d28ec05683dde821fa44be5c84fd98994

Download Submit
memory/2008-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2160-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2560-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download