3c74958e2b695c9e4c50dbe63654034845a5799e67a774ad2318b413860258e1

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 22:02

Target

2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
Size

250KB
MD5

2662ee57f7bf5ea4c8871b2f587e3bd4
SHA1

b19f19cb047d7d987cec5a597d9df15d0f8e87f7
SHA256

3c74958e2b695c9e4c50dbe63654034845a5799e67a774ad2318b413860258e1
SHA512

b26ebfa34239c87da733e3e48d0a7c090469e337202ce0f993bbbf0cb284a048b8d67fae3235700f316c2c12f8953d806fb0c34d1f234077a7660ff43bcaa085
SSDEEP

6144:VSupje/Mir3zyvj8z5QcYrW9kW4zI8yD4og8ZH:VJFSMwjyvY6D+8b+

Score

7^/10

ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

C:\Windows\SysWOW64\CONFIG\SAM.EXE aspack_v212_v242
Executes dropped EXE 1 IoCs

Processes:

SAM.EXE

pid process

1932 SAM.EXE

resource	yara_rule
C:\Windows\SysWOW64\CONFIG\SAM.EXE	aspack_v212_v242

pid	process
1932	SAM.EXE

Drops file in System32 directory 3 IoCs

Processes:

SAM.EXE2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\CONFIG\SAM.EXE	SAM.EXE
File created	C:\Windows\SysWOW64\CONFIG\SAM.EXE	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CONFIG\SAM.EXE	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe

description	pid	process	target process
PID 2444 wrote to memory of 2052	2444	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe	cmd.exe
PID 2444 wrote to memory of 2052	2444	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe	cmd.exe
PID 2444 wrote to memory of 2052	2444	2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe	cmd.exe

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\6886.bat
2⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\6886.bat
Filesize
226B

MD5
d5c72995a477b92ea610765da4c95023

SHA1
ccdc63852900e1ced2e554d363630dab1e6cff08

SHA256
848151f97bf3691aebd2bd13b5236934643a0c7a69d31afb09a7fd5054d42db2

SHA512
6c0af09b7fd6b56c942f1f23c760aba0a57ac4dfc0c76894616f60178904716062f3bb2585f389eef8c904ca20cd97e29310fefef3b396ef59d0f99e2488a01b

Download Submit
C:\Windows\SysWOW64\CONFIG\SAM.EXE
Filesize
250KB

MD5
2662ee57f7bf5ea4c8871b2f587e3bd4

SHA1
b19f19cb047d7d987cec5a597d9df15d0f8e87f7

SHA256
3c74958e2b695c9e4c50dbe63654034845a5799e67a774ad2318b413860258e1

SHA512
b26ebfa34239c87da733e3e48d0a7c090469e337202ce0f993bbbf0cb284a048b8d67fae3235700f316c2c12f8953d806fb0c34d1f234077a7660ff43bcaa085

Download Submit
memory/1932-8-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1932-11-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2444-2-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2444-14-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download