502305945493b5cdff9123324febfc4ffc4ebf09c73d26ce9429b4cb76f5a107

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 07:28

Target

33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe
Size

21KB
MD5

33caeef04043aa35a1f2ef95613e1cca
SHA1

fc06cbb9294757cc53966ee74ee7a116d8cd8405
SHA256

502305945493b5cdff9123324febfc4ffc4ebf09c73d26ce9429b4cb76f5a107
SHA512

69429fc56d70eb234848dbbe487e996ea0f08f684eb0d03e747b71c3081ddac4e31fa70bfa0e19836f7327ad025c856b354deeec6b3252400f4e9bf95c55e6cb
SSDEEP

384:CYUNPKYi1bAOrEkRUjIWTMvijD1/UVMG1FcWP8JD0YfhjcXA:uXOrEk2TMiD1AF3EJDa

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2320	servet.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe
2708	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\servet.exe	servet.exe
File created	C:\Windows\SysWOW64\Deledomn.bat	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\servet.exe	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\servet.exe	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2320	2708	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2320	2708	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2320	2708	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2320	2708	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2756	2708	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2756	2708	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2756	2708	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2756	2708	33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33caeef04043aa35a1f2ef95613e1cca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\servet.exe
  C:\Windows\system32\servet.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deledomn.bat
  2⤵
  - Deletes itself
  PID:2756

C:\Windows\SysWOW64\Deledomn.bat

Filesize
212B

MD5
bcc39166df38907f9b061ec8b17a5f43

SHA1
9f4212d9a786ebc404646bede4e07942b7c26494

SHA256
74ee94615129d5d674bc8cc7f20bdede7faf88a1df6ea895d1ba8159fee3a76d

SHA512
d1b4f6a8cf54ec7711210cc796909ab6c9cf9fcdf9d6faea1fbb657965927d475bed22f506dfe908cc1d8e4e033e12432368169d9af949acc3b29f5d15b6192b

Download Submit
\Windows\SysWOW64\servet.exe

Filesize
21KB

MD5
33caeef04043aa35a1f2ef95613e1cca

SHA1
fc06cbb9294757cc53966ee74ee7a116d8cd8405

SHA256
502305945493b5cdff9123324febfc4ffc4ebf09c73d26ce9429b4cb76f5a107

SHA512
69429fc56d70eb234848dbbe487e996ea0f08f684eb0d03e747b71c3081ddac4e31fa70bfa0e19836f7327ad025c856b354deeec6b3252400f4e9bf95c55e6cb

Download Submit
memory/2320-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2320-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2708-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2708-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2708-11-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2708-10-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2708-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download