a04ca2d7c4b90d040fc95f3248e85b7f0d00b2b1bc1f304de5c300f23fe30c12

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a7fba52a9dc7017abf5a2962ea95fb1_JaffaCakes118.exe
Size

156KB
MD5

4a7fba52a9dc7017abf5a2962ea95fb1
SHA1

885e47fb2928a2a48e22e0d3c6d951b1c0193ef2
SHA256

a04ca2d7c4b90d040fc95f3248e85b7f0d00b2b1bc1f304de5c300f23fe30c12
SHA512

dd69526421abd7d4bd3c3c12675e1a257ed2a9c10c5e73db437c7d38751eaef85fff6ed9dc326c0b3707710e49bd8ff40d4c17eb034bc137ff9b41c2b0f371cf
SSDEEP

3072:+wenTS2y56gbralb4FFEt/7V1x+kH+Cs9ujiKgXUFL6:+1nby5Slb4Hm7V1p+Cs9uPg26

Score

1^/10

Malware Config

Signatures

Suspicious behavior: RenamesItself 24 IoCs

pid	Process
5108	4a7fba52a9dc7017abf5a2962ea95fb1_JaffaCakes118.exe
3984	ryml.exe
2328	kqssjcf.exe
5052	axitsyvzruhw.exe
1632	umyxe.exe
4532	fpoosrwq.exe
3672	tlvjrbdgcxoqv.exe
1028	hqlyjffxr.exe
2856	dimpuziz.exe
2948	gomgjehpbdpf.exe
2860	glhvcpw.exe
2804	ashvv.exe
2416	qilragnri.exe
1680	lnlwxgwkhwc.exe
3644	sikbsor.exe
4968	wfii.exe
940	fykbevenvvtz.exe
2572	qgwgg.exe
3060	crwbrnxxevw.exe
3796	ichqi.exe
2528	ecllqagf.exe
2360	vtiwjdkvxoait.exe
1348	dqdtet.exe
2036	mtfcztlcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3984	5108	4a7fba52a9dc7017abf5a2962ea95fb1_JaffaCakes118.exe	86
PID 5108 wrote to memory of 3984	5108	4a7fba52a9dc7017abf5a2962ea95fb1_JaffaCakes118.exe	86
PID 5108 wrote to memory of 3984	5108	4a7fba52a9dc7017abf5a2962ea95fb1_JaffaCakes118.exe	86
PID 3984 wrote to memory of 2328	3984	ryml.exe	87
PID 3984 wrote to memory of 2328	3984	ryml.exe	87
PID 3984 wrote to memory of 2328	3984	ryml.exe	87
PID 2328 wrote to memory of 5052	2328	kqssjcf.exe	88
PID 2328 wrote to memory of 5052	2328	kqssjcf.exe	88
PID 2328 wrote to memory of 5052	2328	kqssjcf.exe	88
PID 5052 wrote to memory of 1632	5052	axitsyvzruhw.exe	89
PID 5052 wrote to memory of 1632	5052	axitsyvzruhw.exe	89
PID 5052 wrote to memory of 1632	5052	axitsyvzruhw.exe	89
PID 1632 wrote to memory of 4532	1632	umyxe.exe	92
PID 1632 wrote to memory of 4532	1632	umyxe.exe	92
PID 1632 wrote to memory of 4532	1632	umyxe.exe	92
PID 4532 wrote to memory of 3672	4532	fpoosrwq.exe	93
PID 4532 wrote to memory of 3672	4532	fpoosrwq.exe	93
PID 4532 wrote to memory of 3672	4532	fpoosrwq.exe	93
PID 3672 wrote to memory of 1028	3672	tlvjrbdgcxoqv.exe	95
PID 3672 wrote to memory of 1028	3672	tlvjrbdgcxoqv.exe	95
PID 3672 wrote to memory of 1028	3672	tlvjrbdgcxoqv.exe	95
PID 1028 wrote to memory of 2856	1028	hqlyjffxr.exe	96
PID 1028 wrote to memory of 2856	1028	hqlyjffxr.exe	96
PID 1028 wrote to memory of 2856	1028	hqlyjffxr.exe	96
PID 2856 wrote to memory of 2948	2856	dimpuziz.exe	97
PID 2856 wrote to memory of 2948	2856	dimpuziz.exe	97
PID 2856 wrote to memory of 2948	2856	dimpuziz.exe	97
PID 2948 wrote to memory of 2860	2948	gomgjehpbdpf.exe	98
PID 2948 wrote to memory of 2860	2948	gomgjehpbdpf.exe	98
PID 2948 wrote to memory of 2860	2948	gomgjehpbdpf.exe	98
PID 2860 wrote to memory of 2804	2860	glhvcpw.exe	99
PID 2860 wrote to memory of 2804	2860	glhvcpw.exe	99
PID 2860 wrote to memory of 2804	2860	glhvcpw.exe	99
PID 2804 wrote to memory of 2416	2804	ashvv.exe	100
PID 2804 wrote to memory of 2416	2804	ashvv.exe	100
PID 2804 wrote to memory of 2416	2804	ashvv.exe	100
PID 2416 wrote to memory of 1680	2416	qilragnri.exe	101
PID 2416 wrote to memory of 1680	2416	qilragnri.exe	101
PID 2416 wrote to memory of 1680	2416	qilragnri.exe	101
PID 1680 wrote to memory of 3644	1680	lnlwxgwkhwc.exe	102
PID 1680 wrote to memory of 3644	1680	lnlwxgwkhwc.exe	102
PID 1680 wrote to memory of 3644	1680	lnlwxgwkhwc.exe	102
PID 3644 wrote to memory of 4968	3644	sikbsor.exe	103
PID 3644 wrote to memory of 4968	3644	sikbsor.exe	103
PID 3644 wrote to memory of 4968	3644	sikbsor.exe	103
PID 4968 wrote to memory of 940	4968	wfii.exe	104
PID 4968 wrote to memory of 940	4968	wfii.exe	104
PID 4968 wrote to memory of 940	4968	wfii.exe	104
PID 940 wrote to memory of 2572	940	fykbevenvvtz.exe	105
PID 940 wrote to memory of 2572	940	fykbevenvvtz.exe	105
PID 940 wrote to memory of 2572	940	fykbevenvvtz.exe	105
PID 2572 wrote to memory of 3060	2572	qgwgg.exe	106
PID 2572 wrote to memory of 3060	2572	qgwgg.exe	106
PID 2572 wrote to memory of 3060	2572	qgwgg.exe	106
PID 3060 wrote to memory of 3796	3060	crwbrnxxevw.exe	107
PID 3060 wrote to memory of 3796	3060	crwbrnxxevw.exe	107
PID 3060 wrote to memory of 3796	3060	crwbrnxxevw.exe	107
PID 3796 wrote to memory of 2528	3796	ichqi.exe	108
PID 3796 wrote to memory of 2528	3796	ichqi.exe	108
PID 3796 wrote to memory of 2528	3796	ichqi.exe	108
PID 2528 wrote to memory of 2360	2528	ecllqagf.exe	109
PID 2528 wrote to memory of 2360	2528	ecllqagf.exe	109
PID 2528 wrote to memory of 2360	2528	ecllqagf.exe	109
PID 2360 wrote to memory of 1348	2360	vtiwjdkvxoait.exe	110

C:\Users\Admin\AppData\Local\Temp\4a7fba52a9dc7017abf5a2962ea95fb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a7fba52a9dc7017abf5a2962ea95fb1_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\ryml.exe
  C:\Windows\system32\ryml.exe
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\kqssjcf.exe
    C:\Windows\system32\kqssjcf.exe
    3⤵
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\axitsyvzruhw.exe
      C:\Windows\system32\axitsyvzruhw.exe
      4⤵
      Suspicious behavior: RenamesItself
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Windows\SysWOW64\umyxe.exe
        
        C:\Windows\system32\umyxe.exe
        5⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\SysWOW64\fpoosrwq.exe
        
        C:\Windows\system32\fpoosrwq.exe
        6⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\tlvjrbdgcxoqv.exe
        
        C:\Windows\system32\tlvjrbdgcxoqv.exe
        7⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\hqlyjffxr.exe
        
        C:\Windows\system32\hqlyjffxr.exe
        8⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\dimpuziz.exe
        
        C:\Windows\system32\dimpuziz.exe
        9⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\gomgjehpbdpf.exe
        
        C:\Windows\system32\gomgjehpbdpf.exe
        10⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\glhvcpw.exe
        
        C:\Windows\system32\glhvcpw.exe
        11⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\ashvv.exe
        
        C:\Windows\system32\ashvv.exe
        12⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\qilragnri.exe
        
        C:\Windows\system32\qilragnri.exe
        13⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\lnlwxgwkhwc.exe
        
        C:\Windows\system32\lnlwxgwkhwc.exe
        14⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\sikbsor.exe
        
        C:\Windows\system32\sikbsor.exe
        15⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\wfii.exe
        
        C:\Windows\system32\wfii.exe
        16⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\fykbevenvvtz.exe
        
        C:\Windows\system32\fykbevenvvtz.exe
        17⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\qgwgg.exe
        
        C:\Windows\system32\qgwgg.exe
        18⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\crwbrnxxevw.exe
        
        C:\Windows\system32\crwbrnxxevw.exe
        19⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\ichqi.exe
        
        C:\Windows\system32\ichqi.exe
        20⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\ecllqagf.exe
        
        C:\Windows\system32\ecllqagf.exe
        21⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\vtiwjdkvxoait.exe
        
        C:\Windows\system32\vtiwjdkvxoait.exe
        22⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\dqdtet.exe
        
        C:\Windows\system32\dqdtet.exe
        23⤵
        Suspicious behavior: RenamesItself
        
        PID:1348
        
        C:\Windows\SysWOW64\mtfcztlcg.exe
        
        C:\Windows\system32\mtfcztlcg.exe
        24⤵
        Suspicious behavior: RenamesItself
        
        PID:2036
        
        C:\Windows\SysWOW64\zqclwjynq.exe
        
        C:\Windows\system32\zqclwjynq.exe
        25⤵
        
        PID:832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/940-64-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1028-46-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1348-77-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1632-40-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1680-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2328-23-0x0000000000690000-0x00000000006AB000-memory.dmp

Filesize
108KB

Download
memory/2328-36-0x0000000000690000-0x00000000006AB000-memory.dmp

Filesize
108KB

Download
memory/2328-29-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/2328-28-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/2328-30-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/2328-27-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2328-33-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2328-26-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2328-25-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/2328-24-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2360-75-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2416-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2528-73-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2572-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2804-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2856-48-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2860-52-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2948-50-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3060-69-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3644-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3672-44-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3796-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3796-71-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3984-11-0x0000000000590000-0x00000000005AB000-memory.dmp

Filesize
108KB

Download
memory/3984-15-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/3984-32-0x0000000000590000-0x00000000005AB000-memory.dmp

Filesize
108KB

Download
memory/3984-16-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/3984-9-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3984-17-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/3984-13-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3984-14-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3984-18-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/3984-19-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3984-12-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/4532-42-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4968-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5052-39-0x0000000000590000-0x00000000005AB000-memory.dmp

Filesize
108KB

Download
memory/5052-34-0x0000000000590000-0x00000000005AB000-memory.dmp

Filesize
108KB

Download
memory/5052-37-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5108-3-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/5108-4-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/5108-20-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/5108-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5108-5-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/5108-6-0x00000000038E0000-0x00000000038E1000-memory.dmp

Filesize
4KB

Download
memory/5108-22-0x00000000006D0000-0x00000000006EB000-memory.dmp

Filesize
108KB

Download
memory/5108-2-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/5108-1-0x00000000006D0000-0x00000000006EB000-memory.dmp

Filesize
108KB

Download
memory/5108-7-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/5108-8-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/5108-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads