d2d98aef84334fa7255bdef974fa4a5d1dfa0ec69ed42e76c0a8cbc3985bdf1c

Analysis

max time kernel
16s
max time network
21s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 22:16

Target

603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe
Size

155KB
MD5

603048898498a5d06d8cde12a360ac60
SHA1

e7984c8deb3d406c99b0815431744698555294ba
SHA256

d2d98aef84334fa7255bdef974fa4a5d1dfa0ec69ed42e76c0a8cbc3985bdf1c
SHA512

289bc953ec18cd926b2e9373481fd1a24149ef1b9c0c91aadbe771f058e691a41e6165c2cb18cdb23f1eead18bffed23ae7eccaecd363812c806185ffcfddd3f
SSDEEP

3072:Gy7KwOTL5gsjKazB2PscNAwNd1T8Z+w4WG68ULkxa:GOKwOTLjzNSHNAwNd1YvC61gw

Score

1^/10

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2424	1820	603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2424	1820	603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2424	1820	603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2424	1820	603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe	29
PID 2424 wrote to memory of 2592	2424	net.exe	31
PID 2424 wrote to memory of 2592	2424	net.exe	31
PID 2424 wrote to memory of 2592	2424	net.exe	31
PID 2424 wrote to memory of 2592	2424	net.exe	31
PID 1820 wrote to memory of 2060	1820	603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe	32
PID 1820 wrote to memory of 2060	1820	603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe	32
PID 1820 wrote to memory of 2060	1820	603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe	32
PID 1820 wrote to memory of 2060	1820	603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe	32
PID 2060 wrote to memory of 2280	2060	net.exe	34
PID 2060 wrote to memory of 2280	2060	net.exe	34
PID 2060 wrote to memory of 2280	2060	net.exe	34
PID 2060 wrote to memory of 2280	2060	net.exe	34

C:\Users\Admin\AppData\Local\Temp\603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\603048898498a5d06d8cde12a360ac60_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\net.exe
  net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wscsvc
    3⤵
    PID:2592
- C:\Windows\SysWOW64\net.exe
  net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SharedAccess
    3⤵
    PID:2280

memory/1820-0-0x0000000002020000-0x0000000002024000-memory.dmp

Filesize
16KB

Download
memory/1820-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1820-3-0x0000000002020000-0x0000000002024000-memory.dmp

Filesize
16KB

Download
memory/1820-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1820-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download