4f50395db20405b0898081ef7754a0e094475b1bc7b5e1241535c75dbe4838ee

Analysis

max time kernel
93s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 16:37

Target

3126926e82377869be46728af47eff23_JaffaCakes118.exe
Size

578KB
MD5

3126926e82377869be46728af47eff23
SHA1

b6c935cc3d6f300dbf9f781c50fdcac2d7919391
SHA256

4f50395db20405b0898081ef7754a0e094475b1bc7b5e1241535c75dbe4838ee
SHA512

0e4d5d9451053508535f2c4ec9a0ba9f305cf9cc8304c6f8318f232516e0b87ae6c2887b56e5549e4b3675e080748c0a4a6d995dc18727fb26f3c604d1075160
SSDEEP

12288:0JXwp1Sv1ize3/HaB8fTLEO9VzoS7En2EoNxDIBuOFe7/uT:Cwp1Sv1Cefc87oELE2ptIoOFdT

Score

7^/10

aspackv2 upx

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

resource	yara_rule
behavioral2/files/0x00090000000233d0-5.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4448	yl_fuck.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1200-0-0x0000000000400000-0x0000000000548000-memory.dmp	upx
behavioral2/memory/1200-9-0x0000000000400000-0x0000000000548000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5088	1200	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 4448	1200	3126926e82377869be46728af47eff23_JaffaCakes118.exe	83
PID 1200 wrote to memory of 4448	1200	3126926e82377869be46728af47eff23_JaffaCakes118.exe	83
PID 1200 wrote to memory of 4448	1200	3126926e82377869be46728af47eff23_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\3126926e82377869be46728af47eff23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3126926e82377869be46728af47eff23_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\yl_fuck.exe
  C:\Users\Admin\AppData\Local\Temp\yl_fuck.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 480
  2⤵
  - Program crash
  PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1200 -ip 1200
1⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\yl_fuck.exe

Filesize
9KB

MD5
fbf37911b3960af01edce84345d2909c

SHA1
fc2e7fc4093c9bc693a73748f65cdae2f87ebf1a

SHA256
6b5433a2ec878fc100acb0f2d5107d0764395e5a0d71eb6ef3146b742736380f

SHA512
0c45119591097f4395a1fa48a358e4b8ec5f446dbe06b2a1c495aeaf378a78d4b21d3c6a189b6c805279a69c7924e05b03366b20b69ca268cbfda91574ff7e4c

Download Submit
memory/1200-0-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1200-9-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/4448-6-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4448-8-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download