b2d2a0a813ac9e818773a49e6844a1f03768f5a07846e1aa2ee38c8eeaa17c15

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 15:56

Target

39cb1bb1329789aa20bf96a08556f021_JaffaCakes118.exe
Size

112KB
MD5

39cb1bb1329789aa20bf96a08556f021
SHA1

03bc940ea224567d6748f2d4eaaf944ae5ab8830
SHA256

b2d2a0a813ac9e818773a49e6844a1f03768f5a07846e1aa2ee38c8eeaa17c15
SHA512

60a7e24fdd056b5f83f9f9e23d5a49dea83e75d3c28663dd997d6bc8502b1c70465029b16f433415d8d883df01f05ae6ff608750b4eb35ba208db4d3889a30dd
SSDEEP

768:kanwZ0i8nA88nwcW03zqhaB4janwE0QmKc:kanBZcwH03+Jjan/0Q

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
4744	serve.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\serve.exe	39cb1bb1329789aa20bf96a08556f021_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\runole32.dll	39cb1bb1329789aa20bf96a08556f021_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 3116	4868	39cb1bb1329789aa20bf96a08556f021_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3116	4868	39cb1bb1329789aa20bf96a08556f021_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3116	4868	39cb1bb1329789aa20bf96a08556f021_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\39cb1bb1329789aa20bf96a08556f021_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39cb1bb1329789aa20bf96a08556f021_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
  2⤵
  PID:3116

C:\WINDOWS\SysWOW64\serve.exe
C:\WINDOWS\SysWOW64\serve.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
792b09b9f993bb6e9336fe4155d1ef9a

SHA1
2c7aa0ceb39069103ec8241ca05ed3b3420b0d61

SHA256
68ce879856b9013e2ab5c72df665681f90454a5869dc1ada3c086ab80813ba82

SHA512
fef03d2a3a8b0555c2f405c8547a2bbbade9fe4a87f74b6b9d560c965a31fc98156701adf0350e3253f375c27b44a778f83aed56db5d9d30460a0f91d0323c7a

Download Submit
C:\Windows\SysWOW64\serve.exe

Filesize
16KB

MD5
118ccd5f5079c00a81375e3ae7d44b07

SHA1
bcb7da7f70ec40fd3157ec0631f79868fe15bb0e

SHA256
fe3584bc4145b0d02b32743f6bc4b344f0dd822ce16c10b446315c9a34f2662c

SHA512
e56d6a1dcde982d68d7556dfbfc044950a5dd6096f3ff2f7a0d9d0f9bc58d7077f98a65b2ac77ac28e3be17a2bf7dee8140fd62aaa6484f265ab0a019caaa4b2

Download Submit