5dd110888920acdec78496651e38820ca80c3b97e4f2f0e485641f7ad7f1888a

Analysis

max time kernel
140s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 16:26

Target

f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe
Size

51KB
MD5

f17c6e33113ebe205f41eea49fd25aa5
SHA1

eb441ea20b4747d96935eb36762889fae011cb2f
SHA256

5dd110888920acdec78496651e38820ca80c3b97e4f2f0e485641f7ad7f1888a
SHA512

2ba15af862c1097cef865b47d70eda4e1d3696da858e7c68addbe1657be9768a6d4099013eea2fc69af42a9ffc4c39c79b717266f8cfbf2b39cefc8be66c2f30
SSDEEP

1536:uX637GBxS+duUgWA6HdAPqY2BfmmlAhSc:L+dLu69h2hSc

Score

7^/10

vmprotect

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/files/0x0009000000012254-6.dat	vmprotect

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mshtml.dllTJGYl	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mshtml.dll.mod	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mshtml.dll.mod	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mshtml.dll	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\mshtml.dllTJGYl	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\mshtml.dll	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\ktjRq.LOG	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe
File opened for modification	C:\Windows\system\ktjRq.LOG	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3048	1644	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1644	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe
1644	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 3048	1644	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe	28
PID 1644 wrote to memory of 3048	1644	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe	28
PID 1644 wrote to memory of 3048	1644	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe	28
PID 1644 wrote to memory of 3048	1644	f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f17c6e33113ebe205f41eea49fd25aa5_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 128
  2⤵
  - Program crash
  PID:3048

C:\Users\Admin\AppData\Local\Temp\TQ4318.tmp

Filesize
69KB

MD5
70224a9538e486cde03e58417288fab1

SHA1
4a311db27e77b41f31185939b43b159b3614770d

SHA256
258d50c7e28658eabea1837d5bc14d204a252b08cb4ed0cc57d8291d2c1d9c5f

SHA512
cbabafdd371c7472c85993e5fcb90f81f64f6ca883dbbeae78158fb4803ef424eef50f819a620e71aeb8717f5fefa7643300a6724f982745cc428263238973c2

Download Submit
memory/1644-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1644-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download