d10cebd566912f2c5fcfe5b30c9815182c63255f55a3527c9753f0905d8b976f

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

405665b87ea285e182004f016ab401fa_JaffaCakes118.exe
Size

88KB
MD5

405665b87ea285e182004f016ab401fa
SHA1

8de4ed73a58d7df3f6680a8c93a76e3b04297903
SHA256

d10cebd566912f2c5fcfe5b30c9815182c63255f55a3527c9753f0905d8b976f
SHA512

17849dcc09f27698cc6236c785c9eaac90e662441c61d82e016935df97ce6aa2ac0ad3294f55286c035a92a8b52ebd104a2c4c0b7ec12add899ad06921f5a7d2
SSDEEP

1536:ErRcmlnSfIDNBlwp/Ux31k5tu0xyf/792TgQPGXPVZSCcvyqHtZjLAu+h9PV:ErRcmeIpBlw/w10tupf/792TPPOX4NJQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2848	atividx.exe
2516	atividx.exe
2272	atividx.exe
1644	atividx.exe
2600	atividx.exe
556	atividx.exe
604	atividx.exe
2988	atividx.exe
2072	atividx.exe
1712	atividx.exe

Loads dropped DLL 20 IoCs

pid	Process
2756	405665b87ea285e182004f016ab401fa_JaffaCakes118.exe
2756	405665b87ea285e182004f016ab401fa_JaffaCakes118.exe
2848	atividx.exe
2848	atividx.exe
2516	atividx.exe
2516	atividx.exe
2272	atividx.exe
2272	atividx.exe
1644	atividx.exe
1644	atividx.exe
2600	atividx.exe
2600	atividx.exe
556	atividx.exe
556	atividx.exe
604	atividx.exe
604	atividx.exe
2988	atividx.exe
2988	atividx.exe
2072	atividx.exe
2072	atividx.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\atividx.exe	405665b87ea285e182004f016ab401fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File created	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File created	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	405665b87ea285e182004f016ab401fa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File created	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File created	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File created	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File created	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File created	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File opened for modification	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File created	C:\Windows\SysWOW64\atividx.exe	atividx.exe
File created	C:\Windows\SysWOW64\atividx.exe	atividx.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2848	2756	405665b87ea285e182004f016ab401fa_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2848	2756	405665b87ea285e182004f016ab401fa_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2848	2756	405665b87ea285e182004f016ab401fa_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2848	2756	405665b87ea285e182004f016ab401fa_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2516	2848	atividx.exe	31
PID 2848 wrote to memory of 2516	2848	atividx.exe	31
PID 2848 wrote to memory of 2516	2848	atividx.exe	31
PID 2848 wrote to memory of 2516	2848	atividx.exe	31
PID 2516 wrote to memory of 2272	2516	atividx.exe	32
PID 2516 wrote to memory of 2272	2516	atividx.exe	32
PID 2516 wrote to memory of 2272	2516	atividx.exe	32
PID 2516 wrote to memory of 2272	2516	atividx.exe	32
PID 2272 wrote to memory of 1644	2272	atividx.exe	33
PID 2272 wrote to memory of 1644	2272	atividx.exe	33
PID 2272 wrote to memory of 1644	2272	atividx.exe	33
PID 2272 wrote to memory of 1644	2272	atividx.exe	33
PID 1644 wrote to memory of 2600	1644	atividx.exe	34
PID 1644 wrote to memory of 2600	1644	atividx.exe	34
PID 1644 wrote to memory of 2600	1644	atividx.exe	34
PID 1644 wrote to memory of 2600	1644	atividx.exe	34
PID 2600 wrote to memory of 556	2600	atividx.exe	35
PID 2600 wrote to memory of 556	2600	atividx.exe	35
PID 2600 wrote to memory of 556	2600	atividx.exe	35
PID 2600 wrote to memory of 556	2600	atividx.exe	35
PID 556 wrote to memory of 604	556	atividx.exe	36
PID 556 wrote to memory of 604	556	atividx.exe	36
PID 556 wrote to memory of 604	556	atividx.exe	36
PID 556 wrote to memory of 604	556	atividx.exe	36
PID 604 wrote to memory of 2988	604	atividx.exe	37
PID 604 wrote to memory of 2988	604	atividx.exe	37
PID 604 wrote to memory of 2988	604	atividx.exe	37
PID 604 wrote to memory of 2988	604	atividx.exe	37
PID 2988 wrote to memory of 2072	2988	atividx.exe	38
PID 2988 wrote to memory of 2072	2988	atividx.exe	38
PID 2988 wrote to memory of 2072	2988	atividx.exe	38
PID 2988 wrote to memory of 2072	2988	atividx.exe	38
PID 2072 wrote to memory of 1712	2072	atividx.exe	39
PID 2072 wrote to memory of 1712	2072	atividx.exe	39
PID 2072 wrote to memory of 1712	2072	atividx.exe	39
PID 2072 wrote to memory of 1712	2072	atividx.exe	39

C:\Users\Admin\AppData\Local\Temp\405665b87ea285e182004f016ab401fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\405665b87ea285e182004f016ab401fa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\atividx.exe
  C:\Windows\system32\atividx.exe 476 "C:\Users\Admin\AppData\Local\Temp\405665b87ea285e182004f016ab401fa_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\atividx.exe
    C:\Windows\system32\atividx.exe 544 "C:\Windows\SysWOW64\atividx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\atividx.exe
      C:\Windows\system32\atividx.exe 528 "C:\Windows\SysWOW64\atividx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\atividx.exe
        
        C:\Windows\system32\atividx.exe 532 "C:\Windows\SysWOW64\atividx.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Windows\SysWOW64\atividx.exe
        
        C:\Windows\system32\atividx.exe 536 "C:\Windows\SysWOW64\atividx.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\atividx.exe
        
        C:\Windows\system32\atividx.exe 540 "C:\Windows\SysWOW64\atividx.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\atividx.exe
        
        C:\Windows\system32\atividx.exe 548 "C:\Windows\SysWOW64\atividx.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\SysWOW64\atividx.exe
        
        C:\Windows\system32\atividx.exe 552 "C:\Windows\SysWOW64\atividx.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\atividx.exe
        
        C:\Windows\system32\atividx.exe 556 "C:\Windows\SysWOW64\atividx.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\atividx.exe
        
        C:\Windows\system32\atividx.exe 560 "C:\Windows\SysWOW64\atividx.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\atividx.exe

Filesize
88KB

MD5
405665b87ea285e182004f016ab401fa

SHA1
8de4ed73a58d7df3f6680a8c93a76e3b04297903

SHA256
d10cebd566912f2c5fcfe5b30c9815182c63255f55a3527c9753f0905d8b976f

SHA512
17849dcc09f27698cc6236c785c9eaac90e662441c61d82e016935df97ce6aa2ac0ad3294f55286c035a92a8b52ebd104a2c4c0b7ec12add899ad06921f5a7d2

Download Submit
memory/556-58-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/556-56-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/604-65-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/604-63-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1644-42-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1644-44-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1712-86-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1712-84-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2072-79-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2072-77-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2272-36-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2272-34-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2272-41-0x0000000002570000-0x00000000025F5000-memory.dmp

Filesize
532KB

Download
memory/2516-27-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2516-29-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2516-26-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-49-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2600-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2756-13-0x0000000002460000-0x00000000024E5000-memory.dmp

Filesize
532KB

Download
memory/2756-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2756-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2756-12-0x0000000002460000-0x00000000024E5000-memory.dmp

Filesize
532KB

Download
memory/2756-2-0x000000000046E000-0x0000000000484000-memory.dmp

Filesize
88KB

Download
memory/2756-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2848-21-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2848-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2848-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2988-72-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2988-70-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads