6fbec39f09c59bca3c1f111eeaca4d419585d8a628a2649f82e3744548ae58f8

Analysis

max time kernel
140s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 01:14

Target

27414d2cf4cf9a836a58f06b1d3ebfd1_JaffaCakes118.exe
Size

148KB
MD5

27414d2cf4cf9a836a58f06b1d3ebfd1
SHA1

1e68644b979a3b60e6e3b7b2e3ff0c3c0a337f72
SHA256

6fbec39f09c59bca3c1f111eeaca4d419585d8a628a2649f82e3744548ae58f8
SHA512

9eb97c4dd73c17e685fc5f2a4a3dc69fcae8ea95c1ea099f39fa9cb163a972f920a27d79f415ee7d22372d16eb8614b3665a5953fc312d3d12a7408068db3d4e
SSDEEP

1536:EkIwbw37FsPblw1FqrXJkHw/hU713t+3M+C/Z/SSqQxY:Ezwflw1FBw/+303BpqY

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
32	14111.exe
5012	2970.exe

Loads dropped DLL 1 IoCs

pid	Process
3216	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 32	1620	27414d2cf4cf9a836a58f06b1d3ebfd1_JaffaCakes118.exe	81
PID 1620 wrote to memory of 32	1620	27414d2cf4cf9a836a58f06b1d3ebfd1_JaffaCakes118.exe	81
PID 1620 wrote to memory of 32	1620	27414d2cf4cf9a836a58f06b1d3ebfd1_JaffaCakes118.exe	81
PID 1620 wrote to memory of 5012	1620	27414d2cf4cf9a836a58f06b1d3ebfd1_JaffaCakes118.exe	82
PID 1620 wrote to memory of 5012	1620	27414d2cf4cf9a836a58f06b1d3ebfd1_JaffaCakes118.exe	82
PID 1620 wrote to memory of 5012	1620	27414d2cf4cf9a836a58f06b1d3ebfd1_JaffaCakes118.exe	82
PID 5012 wrote to memory of 3216	5012	2970.exe	83
PID 5012 wrote to memory of 3216	5012	2970.exe	83
PID 5012 wrote to memory of 3216	5012	2970.exe	83

C:\Users\Admin\AppData\Local\Temp\27414d2cf4cf9a836a58f06b1d3ebfd1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27414d2cf4cf9a836a58f06b1d3ebfd1_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\14111.exe
  "C:\Users\Admin\AppData\Local\Temp\\14111.exe"
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Users\Admin\AppData\Local\Temp\2970.exe
  "C:\Users\Admin\AppData\Local\Temp\\2970.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\\7601.dll,i
    3⤵
    - Loads dropped DLL
    PID:3216

C:\Users\Admin\AppData\Local\Temp\14111.exe

Filesize
8KB

MD5
be3c7cb171dd5f1aa4d101b6b9658c1e

SHA1
06f2ebd5600d4f0b295634b8813bb3e43fe60122

SHA256
856419647759af36b31c5f9584a3df66aad2be033880afb394eab7af8b19db57

SHA512
b9400ba33c0dd331feb7ce98f520a9b3ab8b4021c47eb94be2a3774e434b18b58befa314e6ab00ecc38cbe74fb3758547a0e2cd0a5c9e5466d5fd5437d716f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2970.exe

Filesize
52KB

MD5
873070e1b025dbcf69a92ada13cd9c68

SHA1
48ccaf97232037ea544613b80abe5508a132d20b

SHA256
012438fc47a977a3c6f76a13384f507a0d3496c12556ff2fb89152ce5714a4ec

SHA512
89c2e9a7a770df2ee81dfe6cf754dc33712b67071800fd64c2e9ef1b61004f7d7c3eebfa2bc73873a9e9b60b9e643fa023e30aaf9aef4442679b0e90a6b8eeea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7601.dll

Filesize
10KB

MD5
9279f5655e63c707582f7f54b4d9bf97

SHA1
488f277af08494d1aab0b78cefe99148de4975b7

SHA256
44048bde8d43d481ec60b3275e3398b394f3260548ceb9d88deeab4c737f8dfb

SHA512
437600aa3c875ff07acb4620b6065e955b6623fd736172999cc3d67c118a58f456bf0455d1022038142764c711bc6522b8056d21605e5b644e5d6cb8b4cdf691

Download Submit
memory/32-11-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download