c3bb35dc06c28e6be7dc0d9b2f2c0ab51fb8301bf507b91292aea6ab75abecad

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 17:47

Target

5cffdce7ec8fbba5527d846ab10ba634_JaffaCakes118.exe
Size

293KB
MD5

5cffdce7ec8fbba5527d846ab10ba634
SHA1

33249ab5b3857ecb173bcbc9f28c69746cb1816c
SHA256

c3bb35dc06c28e6be7dc0d9b2f2c0ab51fb8301bf507b91292aea6ab75abecad
SHA512

8924ca9e635716ea7e55317e3d18cd671f5b4b4078b0eb2720d4076c7eb67ce876da1f831e8b1d5cb5133760874007235528327d854d7fb8ff1bffb34dc673cc
SSDEEP

6144:EsXOacJ8UEns1BY6kiyOqe8/ozQ7kSsixHZ8/+pTWT/ylpoS:EoEqUEsBY4ceQ4ne8qTWupoS

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2516	Avesvc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Avesvc.exe	5cffdce7ec8fbba5527d846ab10ba634_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Avesvc.exe	5cffdce7ec8fbba5527d846ab10ba634_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	5cffdce7ec8fbba5527d846ab10ba634_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Avesvc.exe	Avesvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2544	2680	5cffdce7ec8fbba5527d846ab10ba634_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2544	2680	5cffdce7ec8fbba5527d846ab10ba634_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2544	2680	5cffdce7ec8fbba5527d846ab10ba634_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2544	2680	5cffdce7ec8fbba5527d846ab10ba634_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\5cffdce7ec8fbba5527d846ab10ba634_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5cffdce7ec8fbba5527d846ab10ba634_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\JXGOKS.bat
  2⤵
  - Deletes itself
  PID:2544

C:\Users\Admin\AppData\Local\Temp\JXGOKS.bat

Filesize
218B

MD5
a35b58ffadbf061b23b17ac1a995f56d

SHA1
c6059ef25c16703dcbdc9907da25c7ff2ecb5a63

SHA256
9f99a0880a3c57271f4fb4fde2fb08f4f88838c2d3d23f1c52f7f4aa8b45d0e4

SHA512
83b037923dd84639ad084e3b5def0e316e9dc58e5fc2e99f60d70c6df20c8dcb11b4b478326709a5763b1e3e009c4d12bde0df41a0195c7d97a01a86f626f256

Download Submit
C:\Windows\SysWOW64\Avesvc.exe

Filesize
293KB

MD5
5cffdce7ec8fbba5527d846ab10ba634

SHA1
33249ab5b3857ecb173bcbc9f28c69746cb1816c

SHA256
c3bb35dc06c28e6be7dc0d9b2f2c0ab51fb8301bf507b91292aea6ab75abecad

SHA512
8924ca9e635716ea7e55317e3d18cd671f5b4b4078b0eb2720d4076c7eb67ce876da1f831e8b1d5cb5133760874007235528327d854d7fb8ff1bffb34dc673cc

Download Submit
memory/2516-5-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/2516-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2516-9-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/2680-0-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/2680-1-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2680-18-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download