fea2457bd9e2a1c5f5492e2e4f4d32b802a0bf7909202a8ed7f8c804753d094f

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 18:29

Target

42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe
Size

95KB
MD5

42d715fcf1e4150a6e470a742de66f8e
SHA1

6f667f3b5d4e899f0784c4efe1e8ed9763dfc150
SHA256

fea2457bd9e2a1c5f5492e2e4f4d32b802a0bf7909202a8ed7f8c804753d094f
SHA512

4685fcf30438ed0fcdf02bc3d5d507f4d0fa0110beb797ee3f085cf8bbfb7ba9416d01eb3de3548af678116823c7e894f49a8108a4f0cde64a584347302dff02
SSDEEP

1536:rj9VU/R51ZIdJ2N5aMHHHFSRAKuOAp29HvCRMvYQpZjStnebRCAEF8sE46Yeojnv:MX4doFH4RABp29wqYoZuteNsB6lqndZ

Score

7^/10

upx

Executes dropped EXE 3 IoCs

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4888-0-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4888-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ad405cn\ATLcom.dll	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe
File created	C:\Windows\ad405cn\Update.exe	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe
File created	C:\Windows\ad405cn\info2asp.exe	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe
File created	C:\Windows\ad405cn\iePlayer.exe	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2456	3124	WerFault.exe	88
3628	3124	WerFault.exe	88
2284	1492	WerFault.exe	87

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 5028	4888	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe	85
PID 4888 wrote to memory of 5028	4888	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe	85
PID 4888 wrote to memory of 5028	4888	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe	85
PID 4888 wrote to memory of 1492	4888	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe	87
PID 4888 wrote to memory of 1492	4888	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe	87
PID 4888 wrote to memory of 1492	4888	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe	87
PID 4888 wrote to memory of 3124	4888	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe	88
PID 4888 wrote to memory of 3124	4888	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe	88
PID 4888 wrote to memory of 3124	4888	42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42d715fcf1e4150a6e470a742de66f8e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\ad405cn\Update.exe
  C:\Windows\ad405cn\Update.exe 11C454014FFDA493E62DBFFAE914C42A578E3EFDE155E8D180AFAE28B8137F369681EE45A169D55C59871473
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\ad405cn\info2asp.exe
  C:\Windows\ad405cn\info2asp.exe 11C454014FFDA493E62DBFFAE914C42A578E3EFDE155E8D180AFAE28B8137F369681EE45A169D55C59871473
  2⤵
  - Executes dropped EXE
  PID:1492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 828
    3⤵
    - Program crash
    PID:2284
- C:\Windows\ad405cn\iePlayer.exe
  C:\Windows\ad405cn\iePlayer.exe 11C454014FFDA493E62DBFFAE914C42A578E3EFDE155E8D180AFAE28B8137F369681EE45A169D55C59871473
  2⤵
  - Executes dropped EXE
  PID:3124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 444
    3⤵
    - Program crash
    PID:2456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 444
    3⤵
    - Program crash
    PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3124 -ip 3124
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3124 -ip 3124
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1492 -ip 1492
1⤵
PID:1968

C:\Windows\ad405cn\Update.exe

Filesize
56KB

MD5
4012770c24355d473f3204da2c417294

SHA1
50f7da5120f0dd95dfa8c227cee0717aa135b03c

SHA256
b4424e0a30e08f71504efc7359a8a2bfb489b307013337f2c6d9880f1695eda0

SHA512
bb14469d97bda5fceee428ab965f2e571988a675ed0bfe57768cb6bedbc60a56dccae8594c8b6b44a9f16794eb7fc600b44923c28bca7b99989af9d77656d263

Download Submit
C:\Windows\ad405cn\iePlayer.exe

Filesize
66KB

MD5
e4f5bdf0ed0c9d4a934138c63f4b25b5

SHA1
c9a9c17a2563843d690155705d2818b14dbaf4da

SHA256
dd0069710a395ef2e05dc5972db2881a1cd8d1ed4bae41bad1e538f939150b96

SHA512
e3335ee44705e57dd1ac1d43c10d677b4412e2cdaa1c8f8cd438a0a6498f5596a86d1e1c5ef76db45678dc118f9b6bf6f9a90e04cc238554d0ace9f2b6f2c721

Download Submit
C:\Windows\ad405cn\info2asp.exe

Filesize
41KB

MD5
239cf0c432acfa6e2aa4c2a16a39bc0f

SHA1
26824ce5ee668dc16786341690566704486245ac

SHA256
f81b69a0dd1b546c7b15d13eb47058c9156f7f98ceb936e05c7a7b0b7d847a6b

SHA512
977454187a73e0dfba1fd6f95b6ea5c85bd9160d16dad6f607aad2ebbd44c12320147d593ce09ddcd95a60f809ca73564b7f831561a671050afda41b99e159e8

Download Submit
memory/4888-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4888-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download