03d3760b0df3b30a93e6657a888688035abf1ed70dae3241891f952d97cf52a1

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 23:39

Target

3b2c71745fac75a8c1fdc5ebb504887f_JaffaCakes118.exe
Size

68KB
MD5

3b2c71745fac75a8c1fdc5ebb504887f
SHA1

4943e1cccde5f174fec2a737336ea13b286fbdbb
SHA256

03d3760b0df3b30a93e6657a888688035abf1ed70dae3241891f952d97cf52a1
SHA512

652fff578c90dd303f787442fee492155395de35d31a0d596aac2dce55f454ec9d9c7724c0c696615b3919139b98942234127de34aa97e06e6556a6871db255c
SSDEEP

1536:e8/owf+hI/xf1T4W2RoV15dYvPVJP1YFHFVrXO+VIOevlb8:eWEhWxn2Ro56Ji7R9evlY

Score

7^/10

vmprotect

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2512	hjao.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/2076-0-0x0000000000400000-0x0000000000426000-memory.dmp	vmprotect
behavioral1/memory/2076-1-0x0000000000400000-0x0000000000426000-memory.dmp	vmprotect
behavioral1/files/0x0007000000012119-3.dat	vmprotect
behavioral1/memory/2512-4-0x0000000000400000-0x0000000000426000-memory.dmp	vmprotect
behavioral1/memory/2076-6-0x0000000000400000-0x0000000000426000-memory.dmp	vmprotect
behavioral1/memory/2512-7-0x0000000000400000-0x0000000000426000-memory.dmp	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hjao.exe	3b2c71745fac75a8c1fdc5ebb504887f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hjao.exe	3b2c71745fac75a8c1fdc5ebb504887f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2076	3b2c71745fac75a8c1fdc5ebb504887f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2592	2076	3b2c71745fac75a8c1fdc5ebb504887f_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2592	2076	3b2c71745fac75a8c1fdc5ebb504887f_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2592	2076	3b2c71745fac75a8c1fdc5ebb504887f_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2592	2076	3b2c71745fac75a8c1fdc5ebb504887f_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\3b2c71745fac75a8c1fdc5ebb504887f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b2c71745fac75a8c1fdc5ebb504887f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3B2C71~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2592

C:\Windows\SysWOW64\hjao.exe
C:\Windows\SysWOW64\hjao.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\SysWOW64\hjao.exe

Filesize
68KB

MD5
3b2c71745fac75a8c1fdc5ebb504887f

SHA1
4943e1cccde5f174fec2a737336ea13b286fbdbb

SHA256
03d3760b0df3b30a93e6657a888688035abf1ed70dae3241891f952d97cf52a1

SHA512
652fff578c90dd303f787442fee492155395de35d31a0d596aac2dce55f454ec9d9c7724c0c696615b3919139b98942234127de34aa97e06e6556a6871db255c

Download Submit
memory/2076-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2076-1-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2076-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2512-4-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2512-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download