e1a026ac888b1e62d5759bee4b274f6e35618813e8ddb135d52800adebf3460f

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 03:52

Target

3333f3e6810d025db4fd1a8d7b33402c_JaffaCakes118.exe
Size

273KB
MD5

3333f3e6810d025db4fd1a8d7b33402c
SHA1

cf7e61504baac64f21a02514f7865b69cd47d0b3
SHA256

e1a026ac888b1e62d5759bee4b274f6e35618813e8ddb135d52800adebf3460f
SHA512

1c0396d86068d965f72a871bfca1461940d3b33b72c3023535dba9c5138d4f04074e7134cc99d8a894822d8883b09901a77067f093ee1fef0fcd5e6e3f369776
SSDEEP

6144:O0Thx09JkyUur2jA0tTzYQ4JwJTPdsUVUuKKtZqLl1Dl:O+iGqeH3FVUIqp1

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	Sys312

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\Sys312	3333f3e6810d025db4fd1a8d7b33402c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Sys312	3333f3e6810d025db4fd1a8d7b33402c_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Delete.bat	3333f3e6810d025db4fd1a8d7b33402c_JaffaCakes118.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\System	Sys312
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	Sys312
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	Sys312
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	Sys312
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	Sys312
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	Sys312
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Sys312
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	Sys312
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	Sys312

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2812	Sys312

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2708	2812	Sys312	31
PID 2812 wrote to memory of 2708	2812	Sys312	31
PID 2812 wrote to memory of 2708	2812	Sys312	31
PID 2812 wrote to memory of 2708	2812	Sys312	31
PID 2664 wrote to memory of 2788	2664	3333f3e6810d025db4fd1a8d7b33402c_JaffaCakes118.exe	32
PID 2664 wrote to memory of 2788	2664	3333f3e6810d025db4fd1a8d7b33402c_JaffaCakes118.exe	32
PID 2664 wrote to memory of 2788	2664	3333f3e6810d025db4fd1a8d7b33402c_JaffaCakes118.exe	32
PID 2664 wrote to memory of 2788	2664	3333f3e6810d025db4fd1a8d7b33402c_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\3333f3e6810d025db4fd1a8d7b33402c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3333f3e6810d025db4fd1a8d7b33402c_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\Delete.bat
  2⤵
  - Deletes itself
  PID:2788

C:\Program Files (x86)\Common Files\System\Sys312
"C:\Program Files (x86)\Common Files\System\Sys312"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2708

C:\Program Files (x86)\Common Files\System\Sys312

Filesize
273KB

MD5
3333f3e6810d025db4fd1a8d7b33402c

SHA1
cf7e61504baac64f21a02514f7865b69cd47d0b3

SHA256
e1a026ac888b1e62d5759bee4b274f6e35618813e8ddb135d52800adebf3460f

SHA512
1c0396d86068d965f72a871bfca1461940d3b33b72c3023535dba9c5138d4f04074e7134cc99d8a894822d8883b09901a77067f093ee1fef0fcd5e6e3f369776

Download Submit
C:\Windows\Delete.bat

Filesize
214B

MD5
0631eee4569ec840c27ecdbaf771ede1

SHA1
4f9fc231b7de8b87fcec5e34888630a6c5d03441

SHA256
90eb181b9b5dc846df0a113601edf5ab4c43adcc473f73da0a2a21434d6224c8

SHA512
4ef5ccf066310b04adc28b2d9d4ddb97ac34edc42825483ab3b8215226a98c7387738fe7f93553cbf9087ae7d43b6b6f093c45b2d0e933b643b5d7671b884142

Download Submit
memory/2664-2-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2664-13-0x0000000000400000-0x00000000004B0038-memory.dmp

Filesize
704KB

Download
memory/2812-4-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2812-15-0x0000000000400000-0x00000000004B0038-memory.dmp

Filesize
704KB

Download
memory/2812-17-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download