fef93d231108f37c546b13616ca93083cb798ce24c58a8d4bfb9056989ab8560

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 03:44

Target

332d8e1ba65e137c0def5751ff5ee963_JaffaCakes118.exe
Size

88KB
MD5

332d8e1ba65e137c0def5751ff5ee963
SHA1

69b5f9296bc2e23e3dd5c10eb857f74adfe8b490
SHA256

fef93d231108f37c546b13616ca93083cb798ce24c58a8d4bfb9056989ab8560
SHA512

0ef592474b67d5c63751c9b2bcbdf615b5f34aff089ae7ec9aa5d3f162d800d2105b399e6d7f12ef7ecfc74c50b6199720de3a5149b01cf47c4bc63dc3accfaa
SSDEEP

1536:tPg73ltn4k6yPz7KqTkTKBR1+aJe1mgawzxsBub8PC1jIHxATVGPd:tSQk1BgTKBR1+aJe1mgawzxsBub861jK

Score

7^/10

Executes dropped EXE 3 IoCs

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\java\classes\c1d5ea2e.z	B268.tmp
File opened for modification	C:\Windows\java\classes\c1d5ea2e.z	B268.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4360	4064	WerFault.exe	87

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
4008	notepad.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
548	332d8e1ba65e137c0def5751ff5ee963_JaffaCakes118.exe
548	332d8e1ba65e137c0def5751ff5ee963_JaffaCakes118.exe
4772	e579673.exe
4772	e579673.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 4772	548	332d8e1ba65e137c0def5751ff5ee963_JaffaCakes118.exe	83
PID 548 wrote to memory of 4772	548	332d8e1ba65e137c0def5751ff5ee963_JaffaCakes118.exe	83
PID 548 wrote to memory of 4772	548	332d8e1ba65e137c0def5751ff5ee963_JaffaCakes118.exe	83
PID 4772 wrote to memory of 4008	4772	e579673.exe	84
PID 4772 wrote to memory of 4008	4772	e579673.exe	84
PID 4772 wrote to memory of 4008	4772	e579673.exe	84
PID 4772 wrote to memory of 1148	4772	e579673.exe	86
PID 4772 wrote to memory of 1148	4772	e579673.exe	86
PID 4772 wrote to memory of 1148	4772	e579673.exe	86
PID 1148 wrote to memory of 4064	1148	WindowsUpdate.exe	87
PID 1148 wrote to memory of 4064	1148	WindowsUpdate.exe	87
PID 1148 wrote to memory of 4064	1148	WindowsUpdate.exe	87

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4064 -ip 4064
1⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\332d8e1ba65e137c0def5751ff5ee963_JaffaCakes118.txt

Filesize
68B

MD5
dde7ca3d7a1491005256f1081c8ad2bd

SHA1
c14916457836807cde154ca8bc3f3e996ccc5cfe

SHA256
5e3a50dd912124bea29426a3d585de64b89d34a1dd9199fba74c1c8d53e364ad

SHA512
7755c88ff344060b668908df30fc1f50530079fb41efc1d0d64139268155cea94e9556c525ca2a242a4721c4eb37bed22bfc840e1a7937f64af8150fa95cba12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe

Filesize
42KB

MD5
0711bb0efb9393b8da2d90099b089a29

SHA1
9ae65be1b1084258bc8b27a46a95621e6cf700c5

SHA256
baba751519a8898dd191f937ef363027583b82e74a08af84ee09e0a219fe9ecd

SHA512
1ee2bed6b2488e3ae2a83b07d0a57186282b29cf07ba6144a6c5a6ac67b16f40a0deeb062fac097a2594b51fbbdb80f701face9a7291d72d02acb03b21555d39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\e579673.exe

Filesize
88KB

MD5
332d8e1ba65e137c0def5751ff5ee963

SHA1
69b5f9296bc2e23e3dd5c10eb857f74adfe8b490

SHA256
fef93d231108f37c546b13616ca93083cb798ce24c58a8d4bfb9056989ab8560

SHA512
0ef592474b67d5c63751c9b2bcbdf615b5f34aff089ae7ec9aa5d3f162d800d2105b399e6d7f12ef7ecfc74c50b6199720de3a5149b01cf47c4bc63dc3accfaa

Download Submit
memory/1148-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1148-14-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4064-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download