0cfbd1efa3fcadc271811b0516f13f10fc387a646b3e18c5b897876adcb51783

Analysis

max time kernel
133s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 03:17

Target

20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
Size

257KB
MD5

20e753eb4fd6baa271f2fc7e852cd185
SHA1

b4797e0f9e1965dca426a9977fcfc65687ec16c6
SHA256

0cfbd1efa3fcadc271811b0516f13f10fc387a646b3e18c5b897876adcb51783
SHA512

83198192e688c0e075e4eed24697f1027e8e33e863569389986ec7e146bd22d80ea742bcb57cbc8744efc915eb01c69300b9c37a9a96caf109f4b151e15f77f9
SSDEEP

3072:kbgAlpVUUgDfwl+LBvnVdQrUg5ZjFGxuLy/ug986sXC6NCHOv:kgAAfwkLBvnVsZjFGxuW/ugWdXC68O

Score

7^/10

vmprotect

Loads dropped DLL 1 IoCs

pid	Process
3408	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/files/0x0007000000023414-9.dat	vmprotect
behavioral2/memory/3408-12-0x0000000010000000-0x0000000010012000-memory.dmp	vmprotect

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zydxc0209.dll	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zydxc2.dat	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zydxc3.dat	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zydxc4.dat	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zydxc3.dat	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zydxc4.dat	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mysafe.dat	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zydxc1.dat	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zydxc1.dat	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zydxc2.dat	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3408	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
3408	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
3408	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
652	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3408	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3408	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 3164	3408	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe	82
PID 3408 wrote to memory of 3164	3408	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe	82
PID 3408 wrote to memory of 3164	3408	20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20e753eb4fd6baa271f2fc7e852cd185_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\20E753~1.EXE
  2⤵
  PID:3164

C:\Windows\SysWOW64\zydxc0209.dll

Filesize
64KB

MD5
e43982c7da456041194f20313a2c5e3d

SHA1
7db50334fd8629c13d7e8a13cd23ea732fac22be

SHA256
2b90dd4f291ac33be18d88151ffc68639bdf6796222314b114e8874cf821bde3

SHA512
4e1fce8ff72ad3f9ac84ee8c76f60657f0edede964aeadf4994b1894faadcb84f48ed41c3bc0cec000080f69d4fcb41f1dbeee448f3b74b5e22c0cd3c13f00fd

Download Submit
memory/3408-12-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download