06fe1b18a1262ddd968c73f1c882ddac90f83809da404c865e784eda1df5cd65

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 04:56

Target

2d753841f8aa425111be15d60ba55821_JaffaCakes118.dll
Size

228KB
MD5

2d753841f8aa425111be15d60ba55821
SHA1

2b9a549e83400cfe86225b227174f4a1cea6071f
SHA256

06fe1b18a1262ddd968c73f1c882ddac90f83809da404c865e784eda1df5cd65
SHA512

cf9859a0edf72a2e33102dad8b37ea7c45cd0e6166037fdf8f78bca5b56078fd5b74b869d0e14db52b1de202cf099a81c8e5ea06fb91396e1256a29b946ba564
SSDEEP

6144:y+ZQSCX+9cl4d8kDhMUFfQHuUAv+qdbC8S89V:XZQRGm4dzDhzfeR6bF9V

Score

7^/10

upx

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000122cd-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2028	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x00070000000122cd-1.dat	upx
behavioral1/memory/2028-3-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2028-5-0x0000000010000000-0x0000000010032000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2028	2156	rundll32.exe	28
PID 2156 wrote to memory of 2028	2156	rundll32.exe	28
PID 2156 wrote to memory of 2028	2156	rundll32.exe	28
PID 2156 wrote to memory of 2028	2156	rundll32.exe	28
PID 2156 wrote to memory of 2028	2156	rundll32.exe	28
PID 2156 wrote to memory of 2028	2156	rundll32.exe	28
PID 2156 wrote to memory of 2028	2156	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d753841f8aa425111be15d60ba55821_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d753841f8aa425111be15d60ba55821_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:2028

\Program Files\Common Files\System\symsrv.dll

Filesize
71KB

MD5
bf8084efb36a3974d46604f308b7ea65

SHA1
94f0f16b6c35a2451eb6392e13930fda3229d8b1

SHA256
611c4b289a0a7b9b6acbe3d9d03a3799e52174eab3d8288e242e1006c78c264a

SHA512
0200870637be49cd867372cb85613ad347b927a00aae0ecebf300014a341ee29673030282092e7cd1a8299866dacca90e522755ed3d4eb45daef7d00c729a7c5

Download Submit
memory/2028-3-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2028-5-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download