c09e6ca337c317db0259ff875f2c2100d389e616251684f43850a0b3e115d4e7

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 04:48

Target

5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe
Size

48KB
MD5

5a867456ee86a0b00f6c1c108fc32c7e
SHA1

a2830e6f84dbf518ac3adf7afae483b3056f27cd
SHA256

c09e6ca337c317db0259ff875f2c2100d389e616251684f43850a0b3e115d4e7
SHA512

2ed1cd0d0340291b0cfb4dc87189f1d189c649476be8f8826e61de2896ad173cc8bf29994aeaf57855a7a2bf268a4a6dcee44189f5a7b3ad04ce0f7d41b5de2a
SSDEEP

1536:eTp7c12yyp6cCBtLry+ZhnnTd+MTkAKu78X:J12yVcgtLO+jBK

Score

7^/10

vmprotect

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/files/0x0008000000016d1d-5.dat	vmprotect

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mshtml.dll.mod	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mshtml.dll	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\mshtml.dlltjhXN	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\mshtml.dll	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mshtml.dlltjhXN	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mshtml.dll.mod	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\tjhXN.LOG	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe
File created	C:\Windows\system\tjhXN.LOG	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	804	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
804	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe
804	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2944	804	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe	30
PID 804 wrote to memory of 2944	804	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe	30
PID 804 wrote to memory of 2944	804	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe	30
PID 804 wrote to memory of 2944	804	5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a867456ee86a0b00f6c1c108fc32c7e_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 132
  2⤵
  - Program crash
  PID:2944

C:\Users\Admin\AppData\Local\Temp\tjhXN.LOG

Filesize
58KB

MD5
4682040f8ba0b2d8d94210160cdbf824

SHA1
22a686dbc9d75c741d2aee9a4541faeba522fe2c

SHA256
409f70e7d9375a93fc5d64e11e5e59a4ad2968f214ef6ed69e9aed66823c33b8

SHA512
a442e8c610a6f315247667df05bc02ca8b458a0a42133909aaa88e479811c6d4181af5b3e6649387062d0c3b39a33148689e45612dbb9d50ba154732d95dc6e0

Download Submit
memory/804-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/804-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download