e7ac7235baadfd14f27d5cd604c5b20a2b19677f1b00d4ce16e47845d5d0796f

Analysis

max time kernel
137s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 18:10

Target

0885087f966136eeb3c60fd7c515ed58_JaffaCakes118.dll
Size

704KB
MD5

0885087f966136eeb3c60fd7c515ed58
SHA1

fc68e34ed03507eae4c88e14ea527ef4a8fa80ac
SHA256

e7ac7235baadfd14f27d5cd604c5b20a2b19677f1b00d4ce16e47845d5d0796f
SHA512

a02278382e0e804845a8c07cc1bc690998b347ac0673469eabc65a9d90f09cb9d41e650829f4fd15350718640df65f7db4678498a2ba031b67a357fc6b9a81c2
SSDEEP

12288:80ywjWtUO+Oke04VGUl6vhOiue+bhPrRx4vSZqB7Y0lnMyC2+EpjL7aO:bCwsdPJyC29x1

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1624	rundll32mgr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4900	4880	WerFault.exe	85

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 4880	228	rundll32.exe	85
PID 228 wrote to memory of 4880	228	rundll32.exe	85
PID 228 wrote to memory of 4880	228	rundll32.exe	85
PID 4880 wrote to memory of 1624	4880	rundll32.exe	86
PID 4880 wrote to memory of 1624	4880	rundll32.exe	86
PID 4880 wrote to memory of 1624	4880	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0885087f966136eeb3c60fd7c515ed58_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0885087f966136eeb3c60fd7c515ed58_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:1624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 628
    3⤵
    - Program crash
    PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4880 -ip 4880
1⤵
PID:3216

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
76KB

MD5
2e7df5ae9dcabe137166989493d996a9

SHA1
00a2f1abd5480d5e23bf512a8ee37aa842f69b54

SHA256
4c53f34aa96dc64de964e0f440218ea918b4ac56576323edb4626b17265bd8ef

SHA512
38bbc02e1767a8337ce53c73c637d4d9ec883d9f966dff26fb92ecda6d56646166deb5836a7edfd43725408f2e31f07935dbfaf726e6ea77c64ade18bad42d8f

Download Submit
memory/4880-0-0x0000000010000000-0x00000000100B1000-memory.dmp

Filesize
708KB

Download
memory/4880-5-0x0000000010000000-0x00000000100B1000-memory.dmp

Filesize
708KB

Download