6a09d5cd9c839868af56e8917fc4fe2314e5c9e60772cc7377cd8270e2c527dc

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 13:59

Target

f825a73f485653d18fa7865191c5634e_JaffaCakes118.dll
Size

612KB
MD5

f825a73f485653d18fa7865191c5634e
SHA1

d640f3823d683fd767ae3555229871156c25fc1c
SHA256

6a09d5cd9c839868af56e8917fc4fe2314e5c9e60772cc7377cd8270e2c527dc
SHA512

e8776c00366afc213872060848bd65ce5caf52b8cb619d76b48e3119b14159a850a51ca869b2826b9e27a8f1c78d6f8c563f54d33441a122aaf529530b7f1c07
SSDEEP

12288:y4O3liJG1PmeeVByRP8I6oH4M21AMMJypUrmhZNsy0PKoGcLszGVvcfRY:y4EQHxQkI6q4M229JqUrmHNsyiKHSUfR

Score

7^/10

themida

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

resource	yara_rule
behavioral1/memory/2900-0-0x0000000074810000-0x0000000074987000-memory.dmp	themida

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2900	2872	rundll32.exe	28
PID 2872 wrote to memory of 2900	2872	rundll32.exe	28
PID 2872 wrote to memory of 2900	2872	rundll32.exe	28
PID 2872 wrote to memory of 2900	2872	rundll32.exe	28
PID 2872 wrote to memory of 2900	2872	rundll32.exe	28
PID 2872 wrote to memory of 2900	2872	rundll32.exe	28
PID 2872 wrote to memory of 2900	2872	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f825a73f485653d18fa7865191c5634e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f825a73f485653d18fa7865191c5634e_JaffaCakes118.dll,#1
  2⤵
  PID:2900

memory/2900-0-0x0000000074810000-0x0000000074987000-memory.dmp

Filesize
1.5MB

Download
memory/2900-1-0x0000000074690000-0x0000000074807000-memory.dmp

Filesize
1.5MB

Download