717017af9609e442028d0b360e5238769668de001bfa0372e02e49c9bab911ec

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 15:14

Target

fd0d050622e4454448c3200cedb5e8a9_JaffaCakes118.dll
Size

743KB
MD5

fd0d050622e4454448c3200cedb5e8a9
SHA1

c44b35665179a82f8909fcc5880b756a5bd4aa16
SHA256

717017af9609e442028d0b360e5238769668de001bfa0372e02e49c9bab911ec
SHA512

cb88edebdf6980390fd237c349e5c56b8d2ddc28d268cfae154a434e804a2911805292b84b665cfd00bd80e64577a7cad3be5ae05eff88ebcafaf1fb67cc6d0e
SSDEEP

12288:Tf68zjnT+2a8+p0/IARbJkale360zCA9JK7LdBzSZd6Z/+rXm5AQKa8/VyFcajNp:Tjjny2a8S0/1EaleYUKn2ZY2TmAQN0Vi

Score

7^/10

vmprotect

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/4400-0-0x0000000000400000-0x00000000005B4000-memory.dmp	vmprotect
behavioral2/memory/4400-1-0x0000000000400000-0x00000000005B4000-memory.dmp	vmprotect
behavioral2/memory/4400-2-0x0000000000400000-0x00000000005B4000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4400	5100	rundll32.exe	85
PID 5100 wrote to memory of 4400	5100	rundll32.exe	85
PID 5100 wrote to memory of 4400	5100	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd0d050622e4454448c3200cedb5e8a9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd0d050622e4454448c3200cedb5e8a9_JaffaCakes118.dll,#1
  2⤵
  PID:4400

memory/4400-0-0x0000000000400000-0x00000000005B4000-memory.dmp

Filesize
1.7MB

Download
memory/4400-1-0x0000000000400000-0x00000000005B4000-memory.dmp

Filesize
1.7MB

Download
memory/4400-2-0x0000000000400000-0x00000000005B4000-memory.dmp

Filesize
1.7MB

Download