9dbfc88af7ac792fca56cbe89d04cb927e3d50cb02241f925891f2b8cd4cc0c5

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
Size

308KB
MD5

329e259156fbf6516d6f0619c0edf782
SHA1

e82949a9101bafded6547bab85987b34540a4cf9
SHA256

9dbfc88af7ac792fca56cbe89d04cb927e3d50cb02241f925891f2b8cd4cc0c5
SHA512

519cbe09fbfda6cb8615496e0d067811a24cf097e51ad6e0f2edeb2cdf89539396a14f756563190f6962f79d92cebf0db5cdd847721a75e720719c0f4e632399
SSDEEP

6144:BC0ZeCtAazCQfS1eJB3wrBB+ffhl/mgjp8e:TwUJtX3wrYh9j5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2556	load.exe
2488	load.exe
2664	load.exe
1828	load.exe
2676	load.exe
804	load.exe

Loads dropped DLL 12 IoCs

pid	Process
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
2556	load.exe
2556	load.exe
2488	load.exe
2488	load.exe
2664	load.exe
2664	load.exe
1828	load.exe
1828	load.exe
2676	load.exe
2676	load.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\load.exe	load.exe
File created	C:\Windows\SysWOW64\load.exe	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\load.exe	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\load.exe	load.exe
File created	C:\Windows\SysWOW64\load.exe	load.exe
File created	C:\Windows\SysWOW64\load.exe	load.exe
File created	C:\Windows\SysWOW64\load.exe	load.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
2556	load.exe
2556	load.exe
2556	load.exe
2556	load.exe
2556	load.exe
2556	load.exe
2556	load.exe
2556	load.exe
2556	load.exe
2556	load.exe
2556	load.exe
2556	load.exe
2488	load.exe
2488	load.exe
2488	load.exe
2488	load.exe
2488	load.exe
2488	load.exe
2488	load.exe
2488	load.exe
2488	load.exe
2488	load.exe
2488	load.exe
2488	load.exe
2664	load.exe
2664	load.exe
2664	load.exe
2664	load.exe
2664	load.exe
2664	load.exe
1828	load.exe
1828	load.exe
1828	load.exe
1828	load.exe
1828	load.exe
1828	load.exe
2676	load.exe
2676	load.exe
2676	load.exe
2676	load.exe
2676	load.exe
2676	load.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2556	1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe	31
PID 1380 wrote to memory of 2556	1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe	31
PID 1380 wrote to memory of 2556	1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe	31
PID 1380 wrote to memory of 2556	1380	329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe	31
PID 2556 wrote to memory of 2488	2556	load.exe	32
PID 2556 wrote to memory of 2488	2556	load.exe	32
PID 2556 wrote to memory of 2488	2556	load.exe	32
PID 2556 wrote to memory of 2488	2556	load.exe	32
PID 2488 wrote to memory of 2664	2488	load.exe	33
PID 2488 wrote to memory of 2664	2488	load.exe	33
PID 2488 wrote to memory of 2664	2488	load.exe	33
PID 2488 wrote to memory of 2664	2488	load.exe	33
PID 2664 wrote to memory of 1828	2664	load.exe	34
PID 2664 wrote to memory of 1828	2664	load.exe	34
PID 2664 wrote to memory of 1828	2664	load.exe	34
PID 2664 wrote to memory of 1828	2664	load.exe	34
PID 1828 wrote to memory of 2676	1828	load.exe	35
PID 1828 wrote to memory of 2676	1828	load.exe	35
PID 1828 wrote to memory of 2676	1828	load.exe	35
PID 1828 wrote to memory of 2676	1828	load.exe	35
PID 2676 wrote to memory of 804	2676	load.exe	36
PID 2676 wrote to memory of 804	2676	load.exe	36
PID 2676 wrote to memory of 804	2676	load.exe	36
PID 2676 wrote to memory of 804	2676	load.exe	36

C:\Users\Admin\AppData\Local\Temp\329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\load.exe
  C:\Windows\system32\load.exe -bai C:\Users\Admin\AppData\Local\Temp\329e259156fbf6516d6f0619c0edf782_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\load.exe
    C:\Windows\system32\load.exe -bai C:\Windows\SysWOW64\load.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\load.exe
      C:\Windows\system32\load.exe -bai C:\Windows\SysWOW64\load.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\load.exe
        
        C:\Windows\system32\load.exe -bai C:\Windows\SysWOW64\load.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\SysWOW64\load.exe
        
        C:\Windows\system32\load.exe -bai C:\Windows\SysWOW64\load.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\load.exe
        
        C:\Windows\system32\load.exe -bai C:\Windows\SysWOW64\load.exe
        7⤵
        Executes dropped EXE
        
        PID:804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\load.exe

Filesize
308KB

MD5
329e259156fbf6516d6f0619c0edf782

SHA1
e82949a9101bafded6547bab85987b34540a4cf9

SHA256
9dbfc88af7ac792fca56cbe89d04cb927e3d50cb02241f925891f2b8cd4cc0c5

SHA512
519cbe09fbfda6cb8615496e0d067811a24cf097e51ad6e0f2edeb2cdf89539396a14f756563190f6962f79d92cebf0db5cdd847721a75e720719c0f4e632399

Download Submit
memory/1380-5-0x0000000001E80000-0x0000000001F9A000-memory.dmp

Filesize
1.1MB

Download
memory/1380-11-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1380-10-0x0000000001E80000-0x0000000001F9A000-memory.dmp

Filesize
1.1MB

Download
memory/1380-0-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1828-34-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1828-30-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2488-24-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2488-19-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2488-20-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2556-18-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2556-14-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2556-12-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2664-25-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2664-29-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2676-35-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2676-36-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2676-40-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download