d05e891c190542796811a37b23639bcf5bdfb411584d91b26dbfc154dddab176

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 01:17

Target

3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe
Size

130KB
MD5

3b7762cbcb4cad811b13829684c8b35d
SHA1

402fa06a4aa68f1dc9de5de6e17dca6392be0840
SHA256

d05e891c190542796811a37b23639bcf5bdfb411584d91b26dbfc154dddab176
SHA512

6e05ac41dc232f859c12686c162b3c5cbdd0f2d1a169a19d25d459b1a4aecdc2263b2fcc8f763de0a984ec56667bf9190efc53c88b7c0f4ce1a916da87a2a154
SSDEEP

3072:eH3J5/PNA9cmxGQZ78RdRgcJAJ9MoOqmP0uCp:G3JpPrmxr7kvJACoU0u

Score

5^/10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lilo.exe	3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Lilo.exe	3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Debug\Lilo.dll	3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4D2CCF4-F674-48C7-9F89-F150DF63CCAE}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4D2CCF4-F674-48C7-9F89-F150DF63CCAE}\ = "url"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4D2CCF4-F674-48C7-9F89-F150DF63CCAE}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4D2CCF4-F674-48C7-9F89-F150DF63CCAE}\InProcServer32\ = "C:\\Windows\\Debug\\Lilo.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4D2CCF4-F674-48C7-9F89-F150DF63CCAE}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1916	regedit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2832	744	3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe	83
PID 744 wrote to memory of 2832	744	3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe	83
PID 744 wrote to memory of 2832	744	3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe	83
PID 744 wrote to memory of 1196	744	3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe	84
PID 744 wrote to memory of 1196	744	3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe	84
PID 744 wrote to memory of 1196	744	3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe	84
PID 2832 wrote to memory of 1916	2832	cmd.exe	87
PID 2832 wrote to memory of 1916	2832	cmd.exe	87
PID 2832 wrote to memory of 1916	2832	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sdwfew.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\xyntw.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\3b7762cbcb4cad811b13829684c8b35d_JaffaCakes118.exe"
  2⤵
  PID:1196

C:\Users\Admin\AppData\Local\Temp\sdwfew.bat

Filesize
124B

MD5
dad24a7e49197cf66c5e960506bf1e79

SHA1
94dad2ee9cdad8dec48274e59122f02f5175a80c

SHA256
2515771e9699744b07e0047aa69d4c883520c245ebe3d530886b42330b2934f9

SHA512
fd7cbbcdc0db83921242114a27b4b99de160266df2c897ad0027bc128fd9f2eee52fc7bc0a2974c1f9d7dd68de633275507bae712490033a0e5223faa5f5af76

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyntw.reg

Filesize
400B

MD5
047ae13a27eab9bb22936bd9cd071479

SHA1
3ee7db6f4d67292a9ce14a1fc7bab9a3231bce90

SHA256
357310340cb961f32087608f079b45daec4735d1d7a45863976887a74972625b

SHA512
bb3c5588717919a00362f9abf236c2f15e73c790c3d6b71f7fe3626b30124369892bea8dc613b71e2ac573ae8b035bed6bf2a6986bb0bb5ab7519c06b3ce00ff

Download Submit
memory/744-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-1-0x000000000042D000-0x000000000042E000-memory.dmp

Filesize
4KB

Download
memory/744-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download