3bdf2fbe40e66694bd5f7eadd6e20ed53853be1e3712e1c02358939ded9fb0fa

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 04:57

Target

3c0dc8c88dfe77e2b73070af5e6d7e34_JaffaCakes118.exe
Size

148KB
MD5

3c0dc8c88dfe77e2b73070af5e6d7e34
SHA1

17bfe4783b173325cac44db567eb465b82523d6b
SHA256

3bdf2fbe40e66694bd5f7eadd6e20ed53853be1e3712e1c02358939ded9fb0fa
SHA512

825945dc01ccfa80e81aee9d69a01c996dc24be0a1670cba9d307d9555c7dc6930b6c67281ab0c9597515cc3ca91a578210ee9b2331594241900413acebd9ccf
SSDEEP

3072:BkU5LyEFgDtHrdYaa7Arvm0xwdK6dmblpZPetP+Xyz33:dUDtHr+aiAr9Y3dmJby33

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2504-0-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/2504-4-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\task.exe	3c0dc8c88dfe77e2b73070af5e6d7e34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\task.exe	3c0dc8c88dfe77e2b73070af5e6d7e34_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2504	3c0dc8c88dfe77e2b73070af5e6d7e34_JaffaCakes118.exe
2504	3c0dc8c88dfe77e2b73070af5e6d7e34_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 3548	2504	3c0dc8c88dfe77e2b73070af5e6d7e34_JaffaCakes118.exe	83
PID 2504 wrote to memory of 3548	2504	3c0dc8c88dfe77e2b73070af5e6d7e34_JaffaCakes118.exe	83
PID 2504 wrote to memory of 3548	2504	3c0dc8c88dfe77e2b73070af5e6d7e34_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\3c0dc8c88dfe77e2b73070af5e6d7e34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c0dc8c88dfe77e2b73070af5e6d7e34_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a64472$$.bat
  2⤵
  PID:3548

C:\Users\Admin\AppData\Local\Temp\$$a64472$$.bat

Filesize
152B

MD5
c16a0bd4271ad5919ba31a6bdb4ca7c3

SHA1
b27e8f998f97ad92ce6466b74b80e4b62574eb92

SHA256
0c62f5883d9befbf77c3ff4d94b1a4e30a873c921756b010aa0dab9e4aebd6aa

SHA512
38bf6dda92d7a78f7b96b661fd27533c1ec3a595d2c3f8c1e3cf1f80f603317da4876737f8c4ab4a12b5132a3590d6506945e7439e17978051ac8f85a5feb3e3

Download Submit
memory/2504-0-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2504-4-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download