122adb7aca34095fba6a288e07b1ce12192a99c626a2428c8e460eb517a6903a

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe
Size

212KB
MD5

3b0ac82e98518d0e7e8f2188d3077987
SHA1

77dbb003ab39fff4000d9ade701cc338d6b64e3b
SHA256

122adb7aca34095fba6a288e07b1ce12192a99c626a2428c8e460eb517a6903a
SHA512

dc7ed8b8e2383a6892bdd8461c6031dd82cc9cadcc44baf9795c2481829c0768a097c162ed00a60477d0e927db8caffc6a6da00189a226d2c159e0398421f336
SSDEEP

3072:XV2syVGcegYpDZ6Unfis4YVYWtBH8TCcE2hlbeMgg6BhraivprqU07UHF:UVggYpDZtfCPWtRu5hlbqlAivpmU0KF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2216	taskmngr.exe
3044	taskmngr.exe
2672	taskmngr.exe
2208	taskmngr.exe
3000	taskmngr.exe
2964	taskmngr.exe
1456	taskmngr.exe
996	taskmngr.exe
1056	taskmngr.exe
1384	taskmngr.exe

Loads dropped DLL 20 IoCs

pid	Process
2544	3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe
2544	3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe
2216	taskmngr.exe
2216	taskmngr.exe
3044	taskmngr.exe
3044	taskmngr.exe
2672	taskmngr.exe
2672	taskmngr.exe
2208	taskmngr.exe
2208	taskmngr.exe
3000	taskmngr.exe
3000	taskmngr.exe
2964	taskmngr.exe
2964	taskmngr.exe
1456	taskmngr.exe
1456	taskmngr.exe
996	taskmngr.exe
996	taskmngr.exe
1056	taskmngr.exe
1056	taskmngr.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2216	2544	3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2216	2544	3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2216	2544	3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2216	2544	3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe	30
PID 2216 wrote to memory of 3044	2216	taskmngr.exe	31
PID 2216 wrote to memory of 3044	2216	taskmngr.exe	31
PID 2216 wrote to memory of 3044	2216	taskmngr.exe	31
PID 2216 wrote to memory of 3044	2216	taskmngr.exe	31
PID 3044 wrote to memory of 2672	3044	taskmngr.exe	33
PID 3044 wrote to memory of 2672	3044	taskmngr.exe	33
PID 3044 wrote to memory of 2672	3044	taskmngr.exe	33
PID 3044 wrote to memory of 2672	3044	taskmngr.exe	33
PID 2672 wrote to memory of 2208	2672	taskmngr.exe	34
PID 2672 wrote to memory of 2208	2672	taskmngr.exe	34
PID 2672 wrote to memory of 2208	2672	taskmngr.exe	34
PID 2672 wrote to memory of 2208	2672	taskmngr.exe	34
PID 2208 wrote to memory of 3000	2208	taskmngr.exe	35
PID 2208 wrote to memory of 3000	2208	taskmngr.exe	35
PID 2208 wrote to memory of 3000	2208	taskmngr.exe	35
PID 2208 wrote to memory of 3000	2208	taskmngr.exe	35
PID 3000 wrote to memory of 2964	3000	taskmngr.exe	36
PID 3000 wrote to memory of 2964	3000	taskmngr.exe	36
PID 3000 wrote to memory of 2964	3000	taskmngr.exe	36
PID 3000 wrote to memory of 2964	3000	taskmngr.exe	36
PID 2964 wrote to memory of 1456	2964	taskmngr.exe	37
PID 2964 wrote to memory of 1456	2964	taskmngr.exe	37
PID 2964 wrote to memory of 1456	2964	taskmngr.exe	37
PID 2964 wrote to memory of 1456	2964	taskmngr.exe	37
PID 1456 wrote to memory of 996	1456	taskmngr.exe	38
PID 1456 wrote to memory of 996	1456	taskmngr.exe	38
PID 1456 wrote to memory of 996	1456	taskmngr.exe	38
PID 1456 wrote to memory of 996	1456	taskmngr.exe	38
PID 996 wrote to memory of 1056	996	taskmngr.exe	39
PID 996 wrote to memory of 1056	996	taskmngr.exe	39
PID 996 wrote to memory of 1056	996	taskmngr.exe	39
PID 996 wrote to memory of 1056	996	taskmngr.exe	39
PID 1056 wrote to memory of 1384	1056	taskmngr.exe	40
PID 1056 wrote to memory of 1384	1056	taskmngr.exe	40
PID 1056 wrote to memory of 1384	1056	taskmngr.exe	40
PID 1056 wrote to memory of 1384	1056	taskmngr.exe	40

C:\Users\Admin\AppData\Local\Temp\3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\taskmngr.exe
  C:\Windows\system32\taskmngr.exe 480 "C:\Users\Admin\AppData\Local\Temp\3b0ac82e98518d0e7e8f2188d3077987_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\taskmngr.exe
    C:\Windows\system32\taskmngr.exe 532 "C:\Windows\SysWOW64\taskmngr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\taskmngr.exe
      C:\Windows\system32\taskmngr.exe 536 "C:\Windows\SysWOW64\taskmngr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\taskmngr.exe
        
        C:\Windows\system32\taskmngr.exe 560 "C:\Windows\SysWOW64\taskmngr.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\SysWOW64\taskmngr.exe
        
        C:\Windows\system32\taskmngr.exe 556 "C:\Windows\SysWOW64\taskmngr.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\taskmngr.exe
        
        C:\Windows\system32\taskmngr.exe 552 "C:\Windows\SysWOW64\taskmngr.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\taskmngr.exe
        
        C:\Windows\system32\taskmngr.exe 564 "C:\Windows\SysWOW64\taskmngr.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\taskmngr.exe
        
        C:\Windows\system32\taskmngr.exe 540 "C:\Windows\SysWOW64\taskmngr.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\taskmngr.exe
        
        C:\Windows\system32\taskmngr.exe 544 "C:\Windows\SysWOW64\taskmngr.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\taskmngr.exe
        
        C:\Windows\system32\taskmngr.exe 576 "C:\Windows\SysWOW64\taskmngr.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\taskmngr.exe

Filesize
212KB

MD5
3b0ac82e98518d0e7e8f2188d3077987

SHA1
77dbb003ab39fff4000d9ade701cc338d6b64e3b

SHA256
122adb7aca34095fba6a288e07b1ce12192a99c626a2428c8e460eb517a6903a

SHA512
dc7ed8b8e2383a6892bdd8461c6031dd82cc9cadcc44baf9795c2481829c0768a097c162ed00a60477d0e927db8caffc6a6da00189a226d2c159e0398421f336

Download Submit
memory/996-56-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1056-62-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1056-60-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1384-67-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1456-51-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2208-33-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2208-35-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2216-16-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2216-12-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2544-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2544-15-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2544-11-0x0000000002880000-0x0000000002940000-memory.dmp

Filesize
768KB

Download
memory/2672-28-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2672-26-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2672-32-0x0000000002650000-0x0000000002710000-memory.dmp

Filesize
768KB

Download
memory/2964-46-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3000-39-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3000-41-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3044-22-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3044-20-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads