yunsip | 2605e639e6493b0aaf54383d01f7f6a17fc05b45156defb2dce58261a0c242ff

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 16:19

Target

0ebb0082cd5726589061f4d1d8c651d4_JaffaCakes118.dll
Size

190KB
MD5

0ebb0082cd5726589061f4d1d8c651d4
SHA1

4ef1d82e82cc4b0eb57a2ee99f6f53d2ea26a60c
SHA256

2605e639e6493b0aaf54383d01f7f6a17fc05b45156defb2dce58261a0c242ff
SHA512

7009fa2d18b2d70f81af7c951c6aa120263cbacd96943ea1f947f4f9c0b9d48ead0b0e2fa25a3c642227243a2be50f4476a446ddbc42f24d13198b739339b939
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0L:jDgtfRQUHPw06MoV2nwTBlhm8T

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 4484	1652	rundll32.exe	89
PID 1652 wrote to memory of 4484	1652	rundll32.exe	89
PID 1652 wrote to memory of 4484	1652	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ebb0082cd5726589061f4d1d8c651d4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ebb0082cd5726589061f4d1d8c651d4_JaffaCakes118.dll,#1
  2⤵
  PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4104,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
1⤵
PID:3828