17cdea51b6f610a8fbb8ccf3decf125a9d1a37c5bcb669de2de654aef41911d7

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 00:12

Target

3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe
Size

44KB
MD5

3f714b5c0d1c569d48ad96319f39bc9e
SHA1

13ed42aeffe5f7907579f1ccc5b1eccdd53e5aef
SHA256

17cdea51b6f610a8fbb8ccf3decf125a9d1a37c5bcb669de2de654aef41911d7
SHA512

29588fd375b4aa529f820fbe479e6a7c48d3cdef70b3244ee4f1f2c49c673fc3bc516540e571e50d799a9e6d86162826d2fda37ff5f31f75c1777c86255119cd
SSDEEP

768:4vDI899xgThJrpwMgVEB0JS/8Dwc8yFpU1eZBeun:4vDHLgFwJk0XwY3

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Downdll.dll	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Downdll.dll	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2624	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2640	2624	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2640	2624	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2640	2624	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2640	2624	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2640	2624	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2776	2624	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2776	2624	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2776	2624	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2776	2624	3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f714b5c0d1c569d48ad96319f39bc9e_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624
- C:\program files\internet explorer\iexplore.exe
  "C:\program files\internet explorer\iexplore.exe"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2776

C:\Windows\SysWOW64\Deleteme.bat

Filesize
212B

MD5
5d89c2121885826b8b226c209ee94da1

SHA1
8058c2c1efe8ffef8441b45229913a8c6c002d13

SHA256
d4155c0d703d9a0f070467df843c8bc13b9e5b801df26a81e87f6c0eba2463c1

SHA512
1da609310d488e46f748727aa4b4fc96a468910e1cb3d0cad6deef6ff275c43c970615d02f069657aa134709c8a02e5908702a420cc88a10375a4f976f046474

Download Submit
memory/2624-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download