79f7db37cdb4775f8dc42f6601e62e2d9a0ba65eedea5b1d9989f491a6d2da7e

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 16:20

Target

eb7a403ce8c7b733d304d1cf03c816c4_JaffaCakes118.dll
Size

1.9MB
MD5

eb7a403ce8c7b733d304d1cf03c816c4
SHA1

051883c16b7231c9805a9f7028e6259592b1dd58
SHA256

79f7db37cdb4775f8dc42f6601e62e2d9a0ba65eedea5b1d9989f491a6d2da7e
SHA512

1a4d81e4c44ca50dc264e244f36f0a40b109b9ca91d014d557c2ce8b143f335f3ab961b1eca4c85a5b225b9a0176b8060b915c6208ce6116eba48eacc9602c6a
SSDEEP

24576:so71iIX4dGRpvdITWkdlC/KIQO8Qfmf8ZEdTws8pHAHEgqAE0FDTIY7/hl:s6xZI19IQAuMdA80FDTIYDhl

Score

7^/10

themida

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

resource	yara_rule
behavioral1/memory/908-0-0x0000000010000000-0x00000000101F2000-memory.dmp	themida

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 908	3056	rundll32.exe	28
PID 3056 wrote to memory of 908	3056	rundll32.exe	28
PID 3056 wrote to memory of 908	3056	rundll32.exe	28
PID 3056 wrote to memory of 908	3056	rundll32.exe	28
PID 3056 wrote to memory of 908	3056	rundll32.exe	28
PID 3056 wrote to memory of 908	3056	rundll32.exe	28
PID 3056 wrote to memory of 908	3056	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eb7a403ce8c7b733d304d1cf03c816c4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\eb7a403ce8c7b733d304d1cf03c816c4_JaffaCakes118.dll,#1
  2⤵
  PID:908

memory/908-0-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/908-1-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download