184656691a65d8b83575fac3ed260d9903594c4585c683a518d5057538d23322

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60314ca21e930964dd8cf42199d78336_JaffaCakes118.exe
Size

99KB
MD5

60314ca21e930964dd8cf42199d78336
SHA1

1c0be0613e1fc934d9da5badfde94c5257897d84
SHA256

184656691a65d8b83575fac3ed260d9903594c4585c683a518d5057538d23322
SHA512

8ad4428b850d45b601c9c607f9726da05eafce17e9b9433eca1938c59e3defe39d194398b9f9452493ccf49509d26efe02b32eb91c096236d7acd899736b8327
SSDEEP

1536:h23L6LSxvoFUbKRApzgoeyt6MhupYbOtuUeomJBoY+:hGuslXVHrDPbor

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
4656	Realtek.exe
4576	Realtek.exe
3908	Realtek.exe
5056	Realtek.exe
1068	Realtek.exe
4524	Realtek.exe
4732	Realtek.exe
1516	Realtek.exe
216	Realtek.exe
3488	Realtek.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File created	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File created	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File created	C:\Windows\SysWOW64\Realtek.exe	60314ca21e930964dd8cf42199d78336_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File created	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File created	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File created	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File created	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File created	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File created	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe
File opened for modification	C:\Windows\SysWOW64\Realtek.exe	60314ca21e930964dd8cf42199d78336_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Realtek.exe	Realtek.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4656	3332	60314ca21e930964dd8cf42199d78336_JaffaCakes118.exe	84
PID 3332 wrote to memory of 4656	3332	60314ca21e930964dd8cf42199d78336_JaffaCakes118.exe	84
PID 3332 wrote to memory of 4656	3332	60314ca21e930964dd8cf42199d78336_JaffaCakes118.exe	84
PID 4656 wrote to memory of 4576	4656	Realtek.exe	95
PID 4656 wrote to memory of 4576	4656	Realtek.exe	95
PID 4656 wrote to memory of 4576	4656	Realtek.exe	95
PID 4576 wrote to memory of 3908	4576	Realtek.exe	97
PID 4576 wrote to memory of 3908	4576	Realtek.exe	97
PID 4576 wrote to memory of 3908	4576	Realtek.exe	97
PID 3908 wrote to memory of 5056	3908	Realtek.exe	100
PID 3908 wrote to memory of 5056	3908	Realtek.exe	100
PID 3908 wrote to memory of 5056	3908	Realtek.exe	100
PID 5056 wrote to memory of 1068	5056	Realtek.exe	101
PID 5056 wrote to memory of 1068	5056	Realtek.exe	101
PID 5056 wrote to memory of 1068	5056	Realtek.exe	101
PID 1068 wrote to memory of 4524	1068	Realtek.exe	103
PID 1068 wrote to memory of 4524	1068	Realtek.exe	103
PID 1068 wrote to memory of 4524	1068	Realtek.exe	103
PID 4524 wrote to memory of 4732	4524	Realtek.exe	104
PID 4524 wrote to memory of 4732	4524	Realtek.exe	104
PID 4524 wrote to memory of 4732	4524	Realtek.exe	104
PID 4732 wrote to memory of 1516	4732	Realtek.exe	109
PID 4732 wrote to memory of 1516	4732	Realtek.exe	109
PID 4732 wrote to memory of 1516	4732	Realtek.exe	109
PID 1516 wrote to memory of 216	1516	Realtek.exe	113
PID 1516 wrote to memory of 216	1516	Realtek.exe	113
PID 1516 wrote to memory of 216	1516	Realtek.exe	113
PID 216 wrote to memory of 3488	216	Realtek.exe	114
PID 216 wrote to memory of 3488	216	Realtek.exe	114
PID 216 wrote to memory of 3488	216	Realtek.exe	114

C:\Users\Admin\AppData\Local\Temp\60314ca21e930964dd8cf42199d78336_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60314ca21e930964dd8cf42199d78336_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SysWOW64\Realtek.exe
  C:\Windows\system32\Realtek.exe 1032 "C:\Users\Admin\AppData\Local\Temp\60314ca21e930964dd8cf42199d78336_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\Realtek.exe
    C:\Windows\system32\Realtek.exe 1152 "C:\Windows\SysWOW64\Realtek.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\Realtek.exe
      C:\Windows\system32\Realtek.exe 1128 "C:\Windows\SysWOW64\Realtek.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\SysWOW64\Realtek.exe
        
        C:\Windows\system32\Realtek.exe 1132 "C:\Windows\SysWOW64\Realtek.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5056
      - C:\Windows\SysWOW64\Realtek.exe
        
        C:\Windows\system32\Realtek.exe 1092 "C:\Windows\SysWOW64\Realtek.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Realtek.exe
        
        C:\Windows\system32\Realtek.exe 1136 "C:\Windows\SysWOW64\Realtek.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Realtek.exe
        
        C:\Windows\system32\Realtek.exe 1140 "C:\Windows\SysWOW64\Realtek.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Realtek.exe
        
        C:\Windows\system32\Realtek.exe 1144 "C:\Windows\SysWOW64\Realtek.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Realtek.exe
        
        C:\Windows\system32\Realtek.exe 1104 "C:\Windows\SysWOW64\Realtek.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Realtek.exe
        
        C:\Windows\system32\Realtek.exe 1156 "C:\Windows\SysWOW64\Realtek.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Realtek.exe

Filesize
99KB

MD5
60314ca21e930964dd8cf42199d78336

SHA1
1c0be0613e1fc934d9da5badfde94c5257897d84

SHA256
184656691a65d8b83575fac3ed260d9903594c4585c683a518d5057538d23322

SHA512
8ad4428b850d45b601c9c607f9726da05eafce17e9b9433eca1938c59e3defe39d194398b9f9452493ccf49509d26efe02b32eb91c096236d7acd899736b8327

Download Submit
memory/216-47-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/216-41-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1068-31-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1068-26-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1068-25-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1516-43-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1516-37-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1516-38-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3332-11-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3332-0-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3332-2-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3332-1-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3488-45-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3488-46-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3908-18-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3908-17-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3908-23-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4524-35-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4524-29-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4524-30-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4576-14-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4576-19-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4576-13-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4656-15-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4656-9-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4732-34-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4732-39-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/5056-27-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/5056-22-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/5056-21-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads