61dd233ca128865b959a1010fc4db97f5b0846ea48b72a5ed0e51ca88fabcc9c

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 01:50

Target

06fe464b0f681c156493a88338b6dab7_JaffaCakes118.dll
Size

37KB
MD5

06fe464b0f681c156493a88338b6dab7
SHA1

cc9f3f6aaeede8f326330c5e4701931c458c8eab
SHA256

61dd233ca128865b959a1010fc4db97f5b0846ea48b72a5ed0e51ca88fabcc9c
SHA512

d25c4899fcf623efa2b848c744eba904b3249b3317a30df0b0e34f6249034fae488208a90397740a9cad463ee355d497011ac006048f493b18e103786e5b2f0f
SSDEEP

768:af4DeMKAPgXFLEZY4D1VaykZIXZh2EGksChaydOzLA:af4DeMKAPgVWpQIn2EZpOzLA

Score

1^/10

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 3140	4048	rundll32.exe	92
PID 4048 wrote to memory of 3140	4048	rundll32.exe	92
PID 4048 wrote to memory of 3140	4048	rundll32.exe	92
PID 3140 wrote to memory of 1568	3140	rundll32.exe	93
PID 3140 wrote to memory of 1568	3140	rundll32.exe	93
PID 3140 wrote to memory of 1568	3140	rundll32.exe	93
PID 1568 wrote to memory of 3564	1568	net.exe	95
PID 1568 wrote to memory of 3564	1568	net.exe	95
PID 1568 wrote to memory of 3564	1568	net.exe	95
PID 3140 wrote to memory of 1808	3140	rundll32.exe	96
PID 3140 wrote to memory of 1808	3140	rundll32.exe	96
PID 3140 wrote to memory of 1808	3140	rundll32.exe	96
PID 1808 wrote to memory of 2124	1808	net.exe	98
PID 1808 wrote to memory of 2124	1808	net.exe	98
PID 1808 wrote to memory of 2124	1808	net.exe	98

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\06fe464b0f681c156493a88338b6dab7_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\06fe464b0f681c156493a88338b6dab7_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\net.exe
    net stop winss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winss
      4⤵
      PID:3564
- - C:\Windows\SysWOW64\net.exe
    net stop OcHealthMon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OcHealthMon
      4⤵
      PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4708

memory/3140-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3140-1-0x00000000005F0000-0x00000000005F5000-memory.dmp

Filesize
20KB

Download
memory/3140-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3140-3-0x00000000005F0000-0x00000000005F5000-memory.dmp

Filesize
20KB

Download