d514a54a53d6eb6d7f692cf1f7a543e2e04027e5cf72f15dbffd4a93dc4cf893

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 05:40

Target

4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe
Size

176KB
MD5

4d056de74d3d97be903f8332d6847a20
SHA1

3f520c504ae3dbc77cb890f4a2b735d3c91e0653
SHA256

d514a54a53d6eb6d7f692cf1f7a543e2e04027e5cf72f15dbffd4a93dc4cf893
SHA512

5a99d6adb037ba5d266af97bfac3a1ee801824320893b480ad210a0afd87155deaa550bf0151e18a02c89e78cd83df07f51036963d4c58a5bf33f0a44c91001e
SSDEEP

3072:h3pXaaYJHGb4vm1YbRJGiv0jKagDJmKbgemPMMy4Ff7A03OgjsRf:Z8MpWbp0jKa4dbYPMMy4tJRjsR

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2636	cleanmgr.exe
2832	cleanmgr.exe

Loads dropped DLL 3 IoCs

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2528	2808	4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe	29
PID 2808 wrote to memory of 2528	2808	4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe	29
PID 2808 wrote to memory of 2528	2808	4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe	29
PID 2808 wrote to memory of 2528	2808	4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2636	2528	4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2636	2528	4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2636	2528	4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2636	2528	4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2832	2636	cleanmgr.exe	31
PID 2636 wrote to memory of 2832	2636	cleanmgr.exe	31
PID 2636 wrote to memory of 2832	2636	cleanmgr.exe	31
PID 2636 wrote to memory of 2832	2636	cleanmgr.exe	31

C:\Users\Admin\AppData\Local\Temp\4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe" 2732
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\cleanmgr.exe
    "C:\Users\Admin\AppData\Local\Temp\cleanmgr.exe" {4FDFD539-8B74-4028-9568-B64B108F7B31} 2580 "C:\Users\Admin\AppData\Local\Temp\4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\cleanmgr.exe
      "C:\Users\Admin\AppData\Local\Temp\cleanmgr.exe" {4FDFD539-8B74-4028-9568-B64B108F7B31} 2580 2624 "C:\Users\Admin\AppData\Local\Temp\4d056de74d3d97be903f8332d6847a20_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      PID:2832

\Users\Admin\AppData\Local\Temp\cleanmgr.exe

Filesize
176KB

MD5
d5cef1b49fe3c381a5eda6fae3255e26

SHA1
ed3f40f488a7cd59d2a5b5f55261b6252e36414a

SHA256
d5819cb129e76e50174766fecb0cb16e1ee54d047f70240b8034877a1a0dc5aa

SHA512
8e0f55cff3fb282789f5f25e1e2ff49b9ddceb66d16e63dd175492ef6ecf4f15d2df93159675db694155a198b8c47b2fd8d4366499a4cbbfe1d9089a1ed5d352

Download Submit