ff7174e43019569d1174b91d7723b6e9e6704fda530556af68852cb4dcdb1838

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 12:50

Target

1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe
Size

801KB
MD5

1a2f1f0bb3014b6dc2e4cba0c38f3a3d
SHA1

eae4fb7d04d59d0a50762fc5f85884a38e7d74cb
SHA256

ff7174e43019569d1174b91d7723b6e9e6704fda530556af68852cb4dcdb1838
SHA512

b76b48a7802eb8edbffbb1188df0f80a47f8e4a5efb0dd676ee9809f30ddc37edf049bb949b1cd0d808e84d6034c47c0590405e149505c18a20b06ba20c37625
SSDEEP

24576:/c//////Af9RhVlO5KfQDRCDxEgkasgiOREXqaf7fs5qZFJ+:/c//////AfThvfY1CD6asg6XXfLdo

Score

7^/10

Executes dropped EXE 2 IoCs

Processes:

21.exean.exe

pid process

1444 21.exe
3136 an.exe

pid	process
1444	21.exe
3136	an.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\an.exe	vmprotect
behavioral2/memory/3136-10-0x0000000000400000-0x00000000005E5000-memory.dmp	vmprotect
behavioral2/memory/3136-11-0x0000000000400000-0x00000000005E5000-memory.dmp	vmprotect
behavioral2/memory/3136-21-0x0000000000400000-0x00000000005E5000-memory.dmp	vmprotect

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

an.exe

pid process

3136 an.exe
3136 an.exe
3136 an.exe
3136 an.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 2500 wrote to memory of 3236	2500	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2500 wrote to memory of 3236	2500	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2500 wrote to memory of 3236	2500	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2500 wrote to memory of 3640	2500	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2500 wrote to memory of 3640	2500	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2500 wrote to memory of 3640	2500	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 3236 wrote to memory of 1444	3236	cmd.exe	21.exe
PID 3236 wrote to memory of 1444	3236	cmd.exe	21.exe
PID 3236 wrote to memory of 1444	3236	cmd.exe	21.exe
PID 3640 wrote to memory of 3136	3640	cmd.exe	an.exe
PID 3640 wrote to memory of 3136	3640	cmd.exe	an.exe
PID 3640 wrote to memory of 3136	3640	cmd.exe	an.exe

C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\\21.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Local\Temp\21.exe
C:\Users\Admin\AppData\Local\Temp\\21.exe
3⤵
- Executes dropped EXE
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\\an.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\21.exe
Filesize
32KB

MD5
3411daacd28adcc3e8777df9f0e55b68

SHA1
f3caa6baf64a8c83d0c46a4d6df1e603911f9852

SHA256
41b5098d4d30c6888f70ccfb03c92595ffb846a87a00b7a202e8e7c0fe029e23

SHA512
e1888ad1e9e53bd148b47d498a62172a13752e61beebfcc74f0e7eb2f29037a72487937ce84d29b02bd7692f2afd606ca803fbd36873ae3a73e05e2e2430f730

Download Submit
C:\Users\Admin\AppData\Local\Temp\an.exe
Filesize
736KB

MD5
26618be6175e6ed1cc028978ba151495

SHA1
cb8b553bcffcb51bdce08ca3dca3200a8c8bcaec

SHA256
65c2c9086008da3d00e9574cdb9f7415e3f4f105d931531e65a89df63db0099f

SHA512
7d4bc1890f92065c84b60ab6bb48729d9730eef7a39ee937150582617bc3ed630e0fee9e350d6f3ef7b9032d11821b455c64d775b518b9eebd41446e1f097546

Download Submit
memory/1444-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2500-2-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3136-10-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/3136-11-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/3136-21-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download