3c74958e2b695c9e4c50dbe63654034845a5799e67a774ad2318b413860258e1

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 22:02

Target

2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
Size

250KB
MD5

2662ee57f7bf5ea4c8871b2f587e3bd4
SHA1

b19f19cb047d7d987cec5a597d9df15d0f8e87f7
SHA256

3c74958e2b695c9e4c50dbe63654034845a5799e67a774ad2318b413860258e1
SHA512

b26ebfa34239c87da733e3e48d0a7c090469e337202ce0f993bbbf0cb284a048b8d67fae3235700f316c2c12f8953d806fb0c34d1f234077a7660ff43bcaa085
SSDEEP

6144:VSupje/Mir3zyvj8z5QcYrW9kW4zI8yD4og8ZH:VJFSMwjyvY6D+8b+

Score

7^/10

ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

C:\Windows\SysWOW64\config\SAM.EXE aspack_v212_v242
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2708 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

SAM.EXE

pid process

2748 SAM.EXE

resource	yara_rule
C:\Windows\SysWOW64\config\SAM.EXE	aspack_v212_v242

pid	process
2708	cmd.exe

pid	process
2748	SAM.EXE

Drops file in System32 directory 3 IoCs

Processes:

2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exeSAM.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\CONFIG\SAM.EXE	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CONFIG\SAM.EXE	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CONFIG\SAM.EXE	SAM.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe

description	pid	process	target process
PID 1560 wrote to memory of 2708	1560	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe	cmd.exe
PID 1560 wrote to memory of 2708	1560	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe	cmd.exe
PID 1560 wrote to memory of 2708	1560	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe	cmd.exe
PID 1560 wrote to memory of 2708	1560	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe	cmd.exe

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\2471.bat
2⤵
- Deletes itself
PID:2708

C:\Users\Admin\AppData\Local\Temp\2471.bat
Filesize
226B

MD5
d5c72995a477b92ea610765da4c95023

SHA1
ccdc63852900e1ced2e554d363630dab1e6cff08

SHA256
848151f97bf3691aebd2bd13b5236934643a0c7a69d31afb09a7fd5054d42db2

SHA512
6c0af09b7fd6b56c942f1f23c760aba0a57ac4dfc0c76894616f60178904716062f3bb2585f389eef8c904ca20cd97e29310fefef3b396ef59d0f99e2488a01b

Download Submit
C:\Windows\SysWOW64\config\SAM.EXE
Filesize
250KB

MD5
2662ee57f7bf5ea4c8871b2f587e3bd4

SHA1
b19f19cb047d7d987cec5a597d9df15d0f8e87f7

SHA256
3c74958e2b695c9e4c50dbe63654034845a5799e67a774ad2318b413860258e1

SHA512
b26ebfa34239c87da733e3e48d0a7c090469e337202ce0f993bbbf0cb284a048b8d67fae3235700f316c2c12f8953d806fb0c34d1f234077a7660ff43bcaa085

Download Submit
memory/1560-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1560-19-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2748-9-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2748-11-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download