8aa856cc052d9375c0f0b07af7c0b53df2ba2a174c2da76894d09505136d772e

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 13:24

Target

60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe
Size

50KB
MD5

60a83c049e135cc199138c1f8861437c
SHA1

9daf2a603f611c2d7973a3bdc9a27d23564b1418
SHA256

8aa856cc052d9375c0f0b07af7c0b53df2ba2a174c2da76894d09505136d772e
SHA512

a31201290d345a30bfed7f10dce7e4814d35206e824b6cb12852faef5302fee6fd378f8c933cd591b3b183268c264e0196aba6628429a8d7d560683231da5fb1
SSDEEP

1536:vIUImb70JVldIh7boOIhCKe05DzWmo64yKu5++4Na:vtb7uVldIhIhb5Gm6yKus

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2292	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2020	lghgfgfs.exe

Loads dropped DLL 2 IoCs

pid	Process
580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe
580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 2020	580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe	30
PID 580 wrote to memory of 2020	580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe	30
PID 580 wrote to memory of 2020	580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe	30
PID 580 wrote to memory of 2020	580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe	30
PID 580 wrote to memory of 2292	580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe	31
PID 580 wrote to memory of 2292	580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe	31
PID 580 wrote to memory of 2292	580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe	31
PID 580 wrote to memory of 2292	580	60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60a83c049e135cc199138c1f8861437c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:580
- C:\ProgramData\berkjozo\lghgfgfs.exe
  C:\ProgramData\berkjozo\lghgfgfs.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\SysWOW64\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\60A83C~1.EXE.bak >> NUL
  2⤵
  - Deletes itself
  PID:2292

\ProgramData\berkjozo\lghgfgfs.exe

Filesize
50KB

MD5
60a83c049e135cc199138c1f8861437c

SHA1
9daf2a603f611c2d7973a3bdc9a27d23564b1418

SHA256
8aa856cc052d9375c0f0b07af7c0b53df2ba2a174c2da76894d09505136d772e

SHA512
a31201290d345a30bfed7f10dce7e4814d35206e824b6cb12852faef5302fee6fd378f8c933cd591b3b183268c264e0196aba6628429a8d7d560683231da5fb1

Download Submit
memory/580-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download