8f8821498d949c99ccb37134291c28a9125194bdfcbe06abe76910e7257465e9

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 04:20

Target

fbe9d1bfecd4f46894f1e3570a010399_JaffaCakes118.dll
Size

540KB
MD5

fbe9d1bfecd4f46894f1e3570a010399
SHA1

8f971b1d5880600111f7dfdade059f13038bc799
SHA256

8f8821498d949c99ccb37134291c28a9125194bdfcbe06abe76910e7257465e9
SHA512

63fc5edf97e6893f0954ccba988336438f22d2ea9f4f34ed4eb44fd7c614ea506c360a020eb57141bf0d4cecce3d6194e342529fafbf7325ab69629917fc327d
SSDEEP

6144:D08qM+fa7dCKdMF9qLWVHFOTNdTRfMI8suV:D08q67dCKdMfqL0HiHU

Score

7^/10

upx

Executes dropped EXE 1 IoCs

Processes:

regsvr32Srv.exe

pid process

3764 regsvr32Srv.exe

pid	process
3764	regsvr32Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\regsvr32Srv.exe	upx
behavioral2/memory/3764-5-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral2/memory/3764-7-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32Srv.exe regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2316 3764 WerFault.exe regsvr32Srv.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

pid	pid_target	process	target process
2316	3764	WerFault.exe	regsvr32Srv.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4480 wrote to memory of 4148	4480	regsvr32.exe	regsvr32.exe
PID 4480 wrote to memory of 4148	4480	regsvr32.exe	regsvr32.exe
PID 4480 wrote to memory of 4148	4480	regsvr32.exe	regsvr32.exe
PID 4148 wrote to memory of 3764	4148	regsvr32.exe	regsvr32Srv.exe
PID 4148 wrote to memory of 3764	4148	regsvr32.exe	regsvr32Srv.exe
PID 4148 wrote to memory of 3764	4148	regsvr32.exe	regsvr32Srv.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fbe9d1bfecd4f46894f1e3570a010399_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\regsvr32Srv.exe
C:\Windows\SysWOW64\regsvr32Srv.exe
3⤵
- Executes dropped EXE
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 268
4⤵
- Program crash
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3764 -ip 3764
1⤵
PID:1616

C:\Windows\SysWOW64\regsvr32Srv.exe
Filesize
269KB

MD5
70e14922cf55be62de85952538614a68

SHA1
e17df463900433743b3214b97eccf64f2fc98dce

SHA256
385cd8f758781f36199f48ffa9411d3ec936f0e3d041aae01d8cbadccc3b3883

SHA512
f733786abe3318ef463912455717da84d3b55139d7f7a358cbc14a690b290a21c6d73dd0ffa37bead576aff284e9f7708e5c2df2277343823163fce1ed7a3b89

Download Submit
memory/3764-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3764-6-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3764-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4148-1-0x0000000010000000-0x0000000010088000-memory.dmp

Filesize
544KB

Download