0323425a578f2c2440987eb0cbd9af1f50ad2f5b2667b56950fad52535aac911

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 13:58

Target

1b90dfb0e5ceecf88f138ef8e35b7d3e_JaffaCakes118.exe
Size

146KB
MD5

1b90dfb0e5ceecf88f138ef8e35b7d3e
SHA1

b10a1d0f5734fddeac4a554ba90e266a18860bd4
SHA256

0323425a578f2c2440987eb0cbd9af1f50ad2f5b2667b56950fad52535aac911
SHA512

a6532860941589b4356db5fce035c869e0c512a8175a525083ecfecd5ff86d51b3cb07b6d824a60e79bc85355f2699708599b1026da73467b2772a0cef3f206a
SSDEEP

3072:3AFMfmv+OIfi8ANqtSdzwLhWpRPpwfM8m3+SZcsySm2+zEgU3dhWywAX:3AFMfmv+OqodPeU8W+itySmHKV

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2220	velyt.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	1b90dfb0e5ceecf88f138ef8e35b7d3e_JaffaCakes118.exe
2288	1b90dfb0e5ceecf88f138ef8e35b7d3e_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x003700000001451d-6.dat	upx
behavioral1/memory/2288-13-0x0000000001BD0000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2220-15-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2288	1b90dfb0e5ceecf88f138ef8e35b7d3e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2220	2288	1b90dfb0e5ceecf88f138ef8e35b7d3e_JaffaCakes118.exe	28
PID 2288 wrote to memory of 2220	2288	1b90dfb0e5ceecf88f138ef8e35b7d3e_JaffaCakes118.exe	28
PID 2288 wrote to memory of 2220	2288	1b90dfb0e5ceecf88f138ef8e35b7d3e_JaffaCakes118.exe	28
PID 2288 wrote to memory of 2220	2288	1b90dfb0e5ceecf88f138ef8e35b7d3e_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\1b90dfb0e5ceecf88f138ef8e35b7d3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b90dfb0e5ceecf88f138ef8e35b7d3e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Roaming\Ireg\velyt.exe
  "C:\Users\Admin\AppData\Roaming\Ireg\velyt.exe"
  2⤵
  - Executes dropped EXE
  PID:2220

\Users\Admin\AppData\Roaming\Ireg\velyt.exe

Filesize
146KB

MD5
6f781db60e200016b005648a7fdb87f8

SHA1
d4239658453acebf93f4c6c6dc89f5378174113e

SHA256
62863c08396cf099def7ed906d4f228eb4e6b70daef5e5f4b3f81ef5cc98440c

SHA512
358ee9fc61231ad2c74aacdf4fdc388b1f72b632cc2270637e008d59dc93034263915da572280726e9e99b634fd2a92eaa5092881e86df47eff2b0aa28d15db4

Download Submit
memory/2220-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2288-1-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/2288-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2288-2-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2288-3-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2288-14-0x0000000001BD0000-0x0000000001C28000-memory.dmp

Filesize
352KB

Download
memory/2288-13-0x0000000001BD0000-0x0000000001C28000-memory.dmp

Filesize
352KB

Download
memory/2288-16-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download