8b8496785fd976634e1da5445832a6d70a7bf6d4942b5b0a8b6ee4529a1cdb49

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 13:04

Target

393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe
Size

73KB
MD5

393b8621611b5e9ef9e6640fdbea3ab4
SHA1

cac963d035181b445b37718187cb7c0dfd4fe6bd
SHA256

8b8496785fd976634e1da5445832a6d70a7bf6d4942b5b0a8b6ee4529a1cdb49
SHA512

86417617917b0fc79458cff213fd6a7e05de58eb38055ad2caf3bf70a25935fb0cbe04e70d645296435281179d328d08cb339239e9e0af2050f283b3d32186b1
SSDEEP

1536:B45NKceomsWEd8xK/i9GUGJdvAh3yt+kDhCgJxYr8SNZZ2AFcZA:BiK1oh2KAGUsGh0EgjtSNyZA

Score

7^/10

Loads dropped DLL 2 IoCs

pid	Process
5092	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe
5092	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\B831406A9770.dll	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\B831406A9770.dll	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\ = "fsvdf"	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32\ = "C:\\Windows\\Debug\\B831406A9770.dll"	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32\ThrEaDiNgModEL = "aPaRTmEnT"	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5092	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1052	5092	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe	83
PID 5092 wrote to memory of 1052	5092	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe	83
PID 5092 wrote to memory of 1052	5092	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe	83
PID 5092 wrote to memory of 5020	5092	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe	88
PID 5092 wrote to memory of 5020	5092	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe	88
PID 5092 wrote to memory of 5020	5092	393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\393b8621611b5e9ef9e6640fdbea3ab4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:5020

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
42B

MD5
e2c90b4108d6899c176945db5880fda3

SHA1
72df532c23b24cb1e7a788247bb55f5cd25a7dc4

SHA256
ce61660e78fd68ec71bd2340e790a43806bac1050d177dadf885c5e73971c34a

SHA512
d237ba29529e695165606cc0b3e5b36620697ad0c57ce6202748a36868c1e8583ba1f4d61698d5fccc02a151795c1c19c18be33bcef26abcd4ec8fde570c1f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
53B

MD5
a4d96053046664ff91d68bc81a14648a

SHA1
ab84671f8ffbcfa80e577447a50af7616252eaef

SHA256
6105f59d1897f2ce11f0faf2f6f81ceb5e0bec3493a8243a23148351d6d616bf

SHA512
9cc4789c71260ae7c9eb047230ad30d0dd97185c201343c7f3eb4308c1504b937d7e2113c2f4a5ba9d5703693d2edf165346a2cbd1c28a79089578fb25ec7e3f

Download Submit
C:\Windows\debug\B831406A9770.dll

Filesize
154KB

MD5
6c37196f71a8b65864ab335efb6079f1

SHA1
cad00f9dcc3a460255f9a16303494d14da8d7ad4

SHA256
6f829dd99c15bf1abbcda0eed1113994f92143fb64fd0c7daa36d84594825887

SHA512
85cb36f05edf4af26404ed01e43adc0890f53f1eb23d277b8b6811d987cbb00e433916a81360435c1a7caecbcca6e518f05b1274e5a7936b938614114a1ba6fe

Download Submit
memory/5092-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5092-11-0x00000000022B0000-0x00000000022DB000-memory.dmp

Filesize
172KB

Download
memory/5092-15-0x00000000022B0000-0x00000000022DB000-memory.dmp

Filesize
172KB

Download
memory/5092-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download