fc3eb20dee28466a7e6282cb2ce8a6d7f1e79c086c2518aed46916e1b9e709b9

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 19:10

Target

f1b7494286c9dec238f70f56ffb14c80_JaffaCakes118.dll
Size

76KB
MD5

f1b7494286c9dec238f70f56ffb14c80
SHA1

2fd322c2d2aab12407d6a7d1beee4b5b275a3aed
SHA256

fc3eb20dee28466a7e6282cb2ce8a6d7f1e79c086c2518aed46916e1b9e709b9
SHA512

0618a2e8befbc3ea1801bb867cd38a8dfa48b1432757105b9056b82a533a037714e1b8926e779d8accbce3e3428a1683eeee56f483884da07b4eca8ee2ae2536
SSDEEP

1536:c3k/HdXMFxmewny5lgB0LE9W0q7oY1dFhkPPMXT3tt:c3k/HxMFJJgWQo0q5gsTn

Score

7^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/2960-0-0x0000000010000000-0x0000000010025000-memory.dmp	vmprotect
behavioral2/memory/2960-2-0x0000000010000000-0x0000000010025000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2960	2660	rundll32.exe	87
PID 2660 wrote to memory of 2960	2660	rundll32.exe	87
PID 2660 wrote to memory of 2960	2660	rundll32.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1b7494286c9dec238f70f56ffb14c80_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1b7494286c9dec238f70f56ffb14c80_JaffaCakes118.dll,#1
  2⤵
  PID:2960

memory/2960-0-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2960-2-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download