f6e30d5086980bfb8723136b6d6de9e5bac1d32bc385f5969a9b90d603db7f61

Analysis

max time kernel
92s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 02:27

Target

2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe
Size

87KB
MD5

2aaa7f8db74423c52106dd73d7fdd062
SHA1

a159f2b03279a7ee1ebc62e9cf462f21a7c11697
SHA256

f6e30d5086980bfb8723136b6d6de9e5bac1d32bc385f5969a9b90d603db7f61
SHA512

b5b3549bd41e252a85a80e8c34ad80ac8d2b15b0d76808c4525ebca44095aeb70aa929fa02c983fecec728e5b22fdb24e0377f3cca0762f7dd9f7fa84ecbd3e4
SSDEEP

1536:Q4HlPu18bn3kL0vQTXVf3BFnToIf1TFRr5ZyNbWEnZsPdcf1/Tym:jHldMVf3BtTBf1TFRr5ZyNbWUf1um

Score

8^/10

vmprotect

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/files/0x0008000000023442-4.dat	vmprotect

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RymftuC.dll	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2264	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe
2264	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe
2264	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe
2264	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2264	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 4904	2264	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe	85
PID 2264 wrote to memory of 4904	2264	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe	85
PID 2264 wrote to memory of 4904	2264	2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2aaa7f8db74423c52106dd73d7fdd062_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2AAA7F~1.EXE > nul
  2⤵
  PID:4904

C:\Windows\SysWOW64\RymftuC.dll

Filesize
75KB

MD5
fb6f267185a1adf1c42653cf56227efc

SHA1
bdddeda40987991be1f1766e7359d5bfa4bc694a

SHA256
d73ec557c72b918786e4573073d7c544f51a18856073aec8bd50bbc672ca5e17

SHA512
fd87ed1ed94e046a093448e85011b2e06d8f3fea20f2d27e64ea70e2d72bf02e84b5dbaff2a66c432652d6a8e0a6b2fcd4b41bde4f2ceee86ba93fb45c09a28a

Download Submit