gandcrab | 56573b5dcf6817999cd7569e2949de7e874aeb1c7bbc125203fb81aac83d9e0d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 17:16

Target

6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe
Size

69KB
MD5

6f3fcbc1a4d54346e0778b75f898e985
SHA1

48312dfd2fe0f97393095c945f657d1ac769b3b0
SHA256

56573b5dcf6817999cd7569e2949de7e874aeb1c7bbc125203fb81aac83d9e0d
SHA512

2e26309053f7e75ea4b7b68f7235843e28be7c708aecae85523b7d9a8fbe779b79b95cda56ca4232f61d42268f107bc1addd75369f333b3691cb4a49c6ac9597
SSDEEP

1536:WZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAmMqqU+2bbbAV2/S2Lccu:wBounVyFHjMqqDL2/Lcc

Score

10^/10

GandCrab payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2228-0-0x000000000F7C0000-0x000000000F7D6000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2180 2228 WerFault.exe 6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe

pid	pid_target	process	target process
2180	2228	WerFault.exe	6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe

description	pid	process	target process
PID 2228 wrote to memory of 2180	2228	6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe	WerFault.exe
PID 2228 wrote to memory of 2180	2228	6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe	WerFault.exe
PID 2228 wrote to memory of 2180	2228	6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe	WerFault.exe
PID 2228 wrote to memory of 2180	2228	6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 124
2⤵
- Program crash
PID:2180

memory/2228-0-0x000000000F7C0000-0x000000000F7D6000-memory.dmp

Filesize
88KB

Download