2cfe89d5abd7d5470f052d450a16728e6b1d6956425a3348876640774700a023

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 01:07

Target

32b8f8aa9eb041586fc594b80603edde_JaffaCakes118.exe
Size

4KB
MD5

32b8f8aa9eb041586fc594b80603edde
SHA1

eaa66cc17f917c96c4e8359c9bcdfc477ac10dea
SHA256

2cfe89d5abd7d5470f052d450a16728e6b1d6956425a3348876640774700a023
SHA512

ad7412a85fb55d6bff8ae1fd2df3623bee5d961b538435c2b6d2d716040c1a384f1a3952f806116e3a8e594a590ca2ae13e4a538a2b999f46ffda965e625eac4

Score

1^/10

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2072	2480	32b8f8aa9eb041586fc594b80603edde_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2072	2480	32b8f8aa9eb041586fc594b80603edde_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2072	2480	32b8f8aa9eb041586fc594b80603edde_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2072	2480	32b8f8aa9eb041586fc594b80603edde_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2200	2072	cmd.exe	33
PID 2072 wrote to memory of 2200	2072	cmd.exe	33
PID 2072 wrote to memory of 2200	2072	cmd.exe	33
PID 2072 wrote to memory of 2200	2072	cmd.exe	33
PID 2072 wrote to memory of 3044	2072	cmd.exe	34
PID 2072 wrote to memory of 3044	2072	cmd.exe	34
PID 2072 wrote to memory of 3044	2072	cmd.exe	34
PID 2072 wrote to memory of 3044	2072	cmd.exe	34
PID 3044 wrote to memory of 3028	3044	cmd.exe	35
PID 3044 wrote to memory of 3028	3044	cmd.exe	35
PID 3044 wrote to memory of 3028	3044	cmd.exe	35
PID 3044 wrote to memory of 3028	3044	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\32b8f8aa9eb041586fc594b80603edde_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\32b8f8aa9eb041586fc594b80603edde_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\259449038.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\reg.exe
    REG delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v TARGET_ROOT /f
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /V TARGET_ROOT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /V TARGET_ROOT
      4⤵
      PID:3028

C:\Users\Admin\AppData\Local\Temp\259449038.bat

Filesize
447B

MD5
41be685d2288f27937c529542b70369e

SHA1
f68ac378eae61be0d1dff80098d5a2fdc2b7862a

SHA256
9afb39a041ff0f3281d214fc97c6270ad369a5be1854027c9a3b1a7003468e9b

SHA512
d447e3fb99872b01cb73a8dc5153112e7e4bd01d444843e1eab5e068f6181cc8e08c3593f2e70cd246e735f766bc49b5b787a39f54e606d3c17d7475be2dd711

Download Submit