df256eec323dd3816702227af8c5f4befff83fefcaad339c52a6fd9210459705

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 08:55

Target

1aad9af96101a32b33ea935c2a9d59e5_JaffaCakes118.exe
Size

61KB
MD5

1aad9af96101a32b33ea935c2a9d59e5
SHA1

7be390f36d3dda8b941d2d372741ed69fa7c1c9a
SHA256

df256eec323dd3816702227af8c5f4befff83fefcaad339c52a6fd9210459705
SHA512

4edd4b330c2ca19d63a7959755ce96dd81168f135c77b5e9527cb01f6d96ecfca3111b13023cd6d19dcc23243b86eae2abbb96293259da3eff2be5d07a7bb4e9
SSDEEP

768:0oBXcmidIVG6dPrr3N7EKpnKF8D4AQfgLeU1JoxndW3N2QQTu0iIwb9kEPQBLaB:1GSPrrqKRKFcmU1MdW92QKuhIwht4B+

Score

7^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1052-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2864	1052	WerFault.exe	27

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1052	1aad9af96101a32b33ea935c2a9d59e5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1052	1aad9af96101a32b33ea935c2a9d59e5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2864	1052	1aad9af96101a32b33ea935c2a9d59e5_JaffaCakes118.exe	28
PID 1052 wrote to memory of 2864	1052	1aad9af96101a32b33ea935c2a9d59e5_JaffaCakes118.exe	28
PID 1052 wrote to memory of 2864	1052	1aad9af96101a32b33ea935c2a9d59e5_JaffaCakes118.exe	28
PID 1052 wrote to memory of 2864	1052	1aad9af96101a32b33ea935c2a9d59e5_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\1aad9af96101a32b33ea935c2a9d59e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aad9af96101a32b33ea935c2a9d59e5_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 288
  2⤵
  - Program crash
  PID:2864

memory/1052-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1052-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download