3dc5a730c24693a7051a6ac70abfd550c468ce5149d1481f1442a5294f35a9ac

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 01:48

Target

3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe
Size

216KB
MD5

3fb76896ddf8edd57e2759c7fbc4d3b1
SHA1

4cb1ae845ac3670a3d6d2f3a3dbf386ce419dfd4
SHA256

3dc5a730c24693a7051a6ac70abfd550c468ce5149d1481f1442a5294f35a9ac
SHA512

6b6a252575e20646085d747894a2ba14ae4ee3217ceb0650c67061d0b2895d1775071f38bd88480ef28df21b7216224c4bf2a62766b9d21a60ff627cebf66143
SSDEEP

6144:PUao/pNNfzgOuIwEZrg1t10oeKLH21ntTZq:sv/rNfJVwj1teKH2vtq

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2256	Remote.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 4332	2256	Remote.exe	87

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Remote.exe	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe
File opened for modification	C:\Windows\Remote.exe	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3944	4332	WerFault.exe	87

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 4332	2256	Remote.exe	87
PID 2256 wrote to memory of 4332	2256	Remote.exe	87
PID 2256 wrote to memory of 4332	2256	Remote.exe	87
PID 2256 wrote to memory of 4332	2256	Remote.exe	87
PID 2256 wrote to memory of 4332	2256	Remote.exe	87
PID 1040 wrote to memory of 4928	1040	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe	88
PID 1040 wrote to memory of 4928	1040	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe	88
PID 1040 wrote to memory of 4928	1040	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\4823.bat
  2⤵
  PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4332 -ip 4332
1⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\4823.bat

Filesize
226B

MD5
cb1f481bcf9917bf1df48b301535ea1e

SHA1
89fb043b5b29c80ef2ea03ebe386589d5f3df86b

SHA256
27bffc589872a00da38701e5117fd18673cd8106309401ff68f52d295cf4df01

SHA512
c0c65e23a52496107f75cc3cc6a37145f3346e8e346bbc7a0277805f35b485e4c5848134b4eaf152f7c1561b16a6eca3e7e43693df48b4bc3fe15e108d96ea0c

Download Submit
C:\Windows\Remote.exe

Filesize
216KB

MD5
3fb76896ddf8edd57e2759c7fbc4d3b1

SHA1
4cb1ae845ac3670a3d6d2f3a3dbf386ce419dfd4

SHA256
3dc5a730c24693a7051a6ac70abfd550c468ce5149d1481f1442a5294f35a9ac

SHA512
6b6a252575e20646085d747894a2ba14ae4ee3217ceb0650c67061d0b2895d1775071f38bd88480ef28df21b7216224c4bf2a62766b9d21a60ff627cebf66143

Download Submit
memory/1040-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1040-1-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1040-2-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1040-14-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2256-10-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2256-16-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4332-13-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download