c36637bb9e07094aecf80ef2e5ae15c3e5e1211f8e61e54e4538b2df1816dfbb

Analysis

max time kernel
133s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 20:23

Target

1c60a7a1d88608741149f5216274d19f_JaffaCakes118.exe
Size

176KB
MD5

1c60a7a1d88608741149f5216274d19f
SHA1

5d078e4ad58ae432035a0205c79429dd5c7df426
SHA256

c36637bb9e07094aecf80ef2e5ae15c3e5e1211f8e61e54e4538b2df1816dfbb
SHA512

598f4aeceb6f0ea02f940bfc9047cf38badf4f7186b5056fa9f2c0d90e89e8b922c9b2ba7a1e483cf1dfbdcc07e9db12f377ee1362647a67723d460e9f8811b1
SSDEEP

3072:nuug/5q6gVLypcUnG0+lb4AzOT0MCMz1BENi2XNqW7k7jrRL:nuTgVLyk0u3PMC63E1art

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe

pid process

316 1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe

pid	process
316	1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe	upx
behavioral2/memory/316-6-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/316-8-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2660 316 WerFault.exe 1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe

pid	pid_target	process	target process
2660	316	WerFault.exe	1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1c60a7a1d88608741149f5216274d19f_JaffaCakes118.exe

description	pid	process	target process
PID 1876 wrote to memory of 316	1876	1c60a7a1d88608741149f5216274d19f_JaffaCakes118.exe	1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe
PID 1876 wrote to memory of 316	1876	1c60a7a1d88608741149f5216274d19f_JaffaCakes118.exe	1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe
PID 1876 wrote to memory of 316	1876	1c60a7a1d88608741149f5216274d19f_JaffaCakes118.exe	1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe

C:\Users\Admin\AppData\Local\Temp\1c60a7a1d88608741149f5216274d19f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c60a7a1d88608741149f5216274d19f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe
C:\Users\Admin\AppData\Local\Temp\1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe
2⤵
- Executes dropped EXE
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 264
3⤵
- Program crash
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 316 -ip 316
1⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\1c60a7a1d88608741149f5216274d19f_JaffaCakes118mgr.exe
Filesize
105KB

MD5
9b49fec7e03c33277f188a2819b8d726

SHA1
a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f

SHA256
9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

SHA512
049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d

Download Submit
memory/316-6-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/316-7-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/316-8-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1876-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1876-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download