d435aa5672503d7dfcaecd2c223414bd2a5c39693aae3e31308ca220c4cef945

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 13:17

Target

34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe
Size

100KB
MD5

34df8dde61fa04ed24cfba2b8d600e9b
SHA1

9561475b9a4771c82b985baba21856f33d24074c
SHA256

d435aa5672503d7dfcaecd2c223414bd2a5c39693aae3e31308ca220c4cef945
SHA512

59cdf55cf47dbb3ddb7bc350692e1317552105f2e813b7c9c552b5ad7bc25742ad6b011c69a28fa0696fc3cdba34b2021566bf1dfdcaa7ace5f9616d3d9220ba
SSDEEP

1536:aqq8Qz4m94XCcqlqmQzYUn72hQtqmk3m6:rO4m2X2iYUn7tc3m6

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1972	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2136	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xercesxmldoms.dll	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 2136	2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2136	2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe	30
PID 2464 wrote to memory of 2136	2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe	30
PID 2464 wrote to memory of 2136	2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe	30
PID 2464 wrote to memory of 2136	2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe	30
PID 2464 wrote to memory of 2136	2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe	30
PID 2464 wrote to memory of 1972	2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe	31
PID 2464 wrote to memory of 1972	2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe	31
PID 2464 wrote to memory of 1972	2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe	31
PID 2464 wrote to memory of 1972	2464	34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34df8dde61fa04ed24cfba2b8d600e9b_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\DEL.bat
  2⤵
  - Deletes itself
  PID:1972

C:\DEL.bat

Filesize
210B

MD5
644367a7bda79f69387372dddf6ee54d

SHA1
1c824fbb91b5bc596d6afb7a8fe5db9a79ebf318

SHA256
a67bcccb14ac88f9b5cc960a67f5667f63b89b54decaa5d92f2b2f0b4b4b0d76

SHA512
978a70b12fc998b053b429aa5042da910d9d86fb9c7cee2f669f4179aa1985bbf8a4ed588267b56ab42cfa46bc7e26af87f641db7d2839d25ff0e6ed664de1b6

Download Submit
C:\Windows\SysWOW64\xercesxmldoms.dll

Filesize
18KB

MD5
fec8b7fa7a33b1c6450ffb495a88355b

SHA1
f1ba929b65e03e00c973b922e05eb1ecf0c947e0

SHA256
085250e44a71b581b7e08f4529864ba38713584937e75091babeb56cfbaf1227

SHA512
e7621ffd295027ac1be5a00257f89401b692a60d67eae48334e65f81291825861f5b7348e82e2fbc336858787e8e6a62465dd0ea2bccad866b17cd617e27b069

Download Submit
memory/2136-2-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2136-15-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2464-1-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2464-12-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download