15232c3d62473309bc7dc6628c01809f2f95023c4209a4e64d6dfa1aa22f2529

Analysis

max time kernel
141s
max time network
139s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 03:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe
Size

194KB
MD5

3be5f8196e60eb582394606f2e2bd27b
SHA1

0d0b89d21e2ed9ebe54a1759a9fe74f6e5254106
SHA256

15232c3d62473309bc7dc6628c01809f2f95023c4209a4e64d6dfa1aa22f2529
SHA512

3fcd1098c5ef30d28acac8d7dc327d5a67902f9f05698818d6f229b6c9a27b740e69436eb767a9edbd93080edc67303ef146c41dc313a3902f6c66d8f9fd117a
SSDEEP

3072:p3I+6fKZ00txv7c4JrEWR79FRmNcYmvDckbnJLCf+savRq5wAQSvtlz8zpsC:p4PMtFhfnmmYMDckMzQez8zps

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2532	svchost.exe
2916	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2532	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\svchost.exe	3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 2524	1644	3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe	30
PID 2532 set thread context of 2916	2532	svchost.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	svchost.exe
2916	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2524	1644	3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2524	1644	3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2524	1644	3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2524	1644	3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2524	1644	3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2524	1644	3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2916	2532	svchost.exe	32
PID 2532 wrote to memory of 2916	2532	svchost.exe	32
PID 2532 wrote to memory of 2916	2532	svchost.exe	32
PID 2532 wrote to memory of 2916	2532	svchost.exe	32
PID 2532 wrote to memory of 2916	2532	svchost.exe	32
PID 2532 wrote to memory of 2916	2532	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3be5f8196e60eb582394606f2e2bd27b_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  PID:2524

C:\Windows\SysWOW64\config\svchost.exe
C:\Windows\SysWOW64\config\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\config\svchost.exe
  C:\Windows\SysWOW64\config\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\config\svchost.exe

Filesize
194KB

MD5
3be5f8196e60eb582394606f2e2bd27b

SHA1
0d0b89d21e2ed9ebe54a1759a9fe74f6e5254106

SHA256
15232c3d62473309bc7dc6628c01809f2f95023c4209a4e64d6dfa1aa22f2529

SHA512
3fcd1098c5ef30d28acac8d7dc327d5a67902f9f05698818d6f229b6c9a27b740e69436eb767a9edbd93080edc67303ef146c41dc313a3902f6c66d8f9fd117a

Download Submit
memory/1644-6-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/2524-13-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2524-1-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2524-5-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2524-8-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2524-7-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2524-4-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2524-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-24-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/2916-25-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2916-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-26-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2916-32-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2916-34-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2916-36-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download
memory/2916-38-0x0000000001000000-0x0000000001047000-memory.dmp

Filesize
284KB

Download