440c9c0a9b717576814abc169aed083f3f73112050307b0ff9655f7ad9d4cdd3

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 10:55

Target

62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe
Size

129KB
MD5

62f4b6353e9dbb7007a75ef74d198ee4
SHA1

650ced97eeb7abbd7860597e7c4511c0b494cacc
SHA256

440c9c0a9b717576814abc169aed083f3f73112050307b0ff9655f7ad9d4cdd3
SHA512

47dded66cb4aa212e8bf24c3a86c3f2f7816d4e3361c97d6b41df45f8794c55d0c3d80b6c0a6b44b1ebed1f8b8bb17295d03a7e38fc3507644c0a49520ee19af
SSDEEP

3072:Wnt7HaF0T/QsUyP8jC+n+8MU2ZJSvNnVNwAN48fr/vFZr5Hhpa:mjagQqP8QvJoHwWt/vHr5

Score

5^/10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\web.exe	62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\web.exe	62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Debug\web32.dll	62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\ = "url"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\InProcServer32\ = "C:\\Windows\\Debug\\web32.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1316	regedit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1252	2412	62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe	84
PID 2412 wrote to memory of 1252	2412	62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe	84
PID 2412 wrote to memory of 1252	2412	62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe	84
PID 2412 wrote to memory of 1904	2412	62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe	85
PID 2412 wrote to memory of 1904	2412	62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe	85
PID 2412 wrote to memory of 1904	2412	62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe	85
PID 1252 wrote to memory of 1316	1252	cmd.exe	88
PID 1252 wrote to memory of 1316	1252	cmd.exe	88
PID 1252 wrote to memory of 1316	1252	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\run1.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\s1.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\62f4b6353e9dbb7007a75ef74d198ee4_JaffaCakes118.exe"
  2⤵
  PID:1904

C:\Users\Admin\AppData\Local\Temp\run1.bat

Filesize
118B

MD5
c9ca0afd6c6d4ba684394ab5ee38482c

SHA1
218342e5aa6ad25831f0f4991dd45cc822940206

SHA256
fb1820a50d3feaa20d5c43c92ce107c025d80549a0337b272df8c9f5ce89c25c

SHA512
3c8228a0cada2ef3a4c8fba626afd0bb5f518413243f0473842ae16a96a72e8b96229026413721c9472908945a6198ee6aa260f6c7516b984b3f7de6889a0495

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1.reg

Filesize
401B

MD5
5e32fb9a736a8c57fc91d686f47933a0

SHA1
af36957427a7941e76706171e5943fdf5e8345e6

SHA256
1691cac4fc9de53de098f525ff02f9a01cabbc952f00eed8c533f62190ef8ba4

SHA512
96e4734944bbee46e7b3b3ca5bb692482df6ce91fbf764828d1304d1133ee7e3dc6c63cb3d5bd4e7a59adbc9a23af438490db5827cfb0438a3aa8eaf91a2546e

Download Submit
memory/2412-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-1-0x000000000042D000-0x000000000042E000-memory.dmp

Filesize
4KB

Download
memory/2412-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download