1306640e843b792a8ad7c5c977975a760128183bd3b76199adf524496c3839f7

Analysis

max time kernel
118s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 10:36

Target

f7d172500e9db552c2a13ad4eee35c0d_JaffaCakes118.dll
Size

89KB
MD5

f7d172500e9db552c2a13ad4eee35c0d
SHA1

a1ac27ec0296ef3f92e1ce9e074f35d1abe91e79
SHA256

1306640e843b792a8ad7c5c977975a760128183bd3b76199adf524496c3839f7
SHA512

198607702e67f268a34c24a15ff16a28d35b6db0e2767650bdce10eaefa6cb2cc0226c2f436c07fc958de798031159efd59f4438baab37fddee1020c8ccb016c
SSDEEP

1536:EZk7iqh7asyTeHN2BkJdZYypAieXXAgTKCaRl6bvPZriJm26EknDxzDUTu:Wk2qssyTYNQwZYypAi+X/KCa6bprRhvx

Score

7^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/3012-0-0x00000000001C0000-0x00000000001EE000-memory.dmp	upx

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 3012	1392	rundll32.exe	28
PID 1392 wrote to memory of 3012	1392	rundll32.exe	28
PID 1392 wrote to memory of 3012	1392	rundll32.exe	28
PID 1392 wrote to memory of 3012	1392	rundll32.exe	28
PID 1392 wrote to memory of 3012	1392	rundll32.exe	28
PID 1392 wrote to memory of 3012	1392	rundll32.exe	28
PID 1392 wrote to memory of 3012	1392	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7d172500e9db552c2a13ad4eee35c0d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7d172500e9db552c2a13ad4eee35c0d_JaffaCakes118.dll,#1
  2⤵
  PID:3012

memory/3012-0-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/3012-1-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download