Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe
-
Size
846.9MB
-
MD5
91f5984711797e69aaad871121cc47c7
-
SHA1
f23b1683ea93e169f86b77f1192ad8a541683db7
-
SHA256
d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971
-
SHA512
bc315f9b564b7a6568763f38033215efe1efc1a593e127ec79feb420218c9e220722e171beb7b96412bda3d10c5ffef871566a2ab515630009c47ea97c1e16e0
-
SSDEEP
98304:aXFI1hlwPZrYhOGXPTB9o88iqn6BHdSCx0eJw1128fJWtGuAsoNE08JL:aXFI1hlwPZabB9ZOWdSww4thAs2EVJL
Malware Config
Signatures
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/2252-1-0x0000000000990000-0x0000000001BB0000-memory.dmp net_reactor -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2252 JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe 2252 JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2252 JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2180 2252 JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe 86 PID 2252 wrote to memory of 2180 2252 JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe 86 PID 2252 wrote to memory of 2180 2252 JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d689b232492a44023b23c35bbdfcc74692287b0f7cca5f256ed014ad97f56971.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"2⤵PID:2180
-