05e00652504e31cf7ff8b660b1305bac68230af35b6b6e4ba64a417383e23638

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 09:37

Target

21e297eefb0d199aaae7da5aa9399320_JaffaCakes118.dll
Size

241KB
MD5

21e297eefb0d199aaae7da5aa9399320
SHA1

d5ad2fdbae7495170f046ee8d1716d51a8bf923e
SHA256

05e00652504e31cf7ff8b660b1305bac68230af35b6b6e4ba64a417383e23638
SHA512

e619afe903e67ce4d41137aa1f43b29f8437b8974033ee1a2e16e79debbf87ebe6a2ec83748ea7096bf5f7868cfa9fa27ffe4e5cfd99b433cf997cc23ac5bf4d
SSDEEP

6144:4VoguLpLhbQhkaFTAGvpHaS9oYU9j9b3hXG+C:4W/RSFFFHaS9oYU9rG+C

Score

7^/10

upx

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4804-0-0x0000000010000000-0x00000000100A9000-memory.dmp	upx
behavioral2/memory/4804-1-0x0000000010000000-0x00000000100A9000-memory.dmp	upx
behavioral2/memory/4804-2-0x0000000010000000-0x00000000100A9000-memory.dmp	upx
behavioral2/memory/4804-5-0x0000000010000000-0x00000000100A9000-memory.dmp	upx
behavioral2/memory/4804-6-0x0000000010000000-0x00000000100A9000-memory.dmp	upx
behavioral2/memory/4804-7-0x0000000010000000-0x00000000100A9000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4804	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 4804	1536	rundll32.exe	83
PID 1536 wrote to memory of 4804	1536	rundll32.exe	83
PID 1536 wrote to memory of 4804	1536	rundll32.exe	83
PID 4804 wrote to memory of 1076	4804	rundll32.exe	84
PID 4804 wrote to memory of 1076	4804	rundll32.exe	84
PID 4804 wrote to memory of 1076	4804	rundll32.exe	84
PID 1076 wrote to memory of 612	1076	net.exe	86
PID 1076 wrote to memory of 612	1076	net.exe	86
PID 1076 wrote to memory of 612	1076	net.exe	86
PID 4804 wrote to memory of 4560	4804	rundll32.exe	98
PID 4804 wrote to memory of 4560	4804	rundll32.exe	98
PID 4804 wrote to memory of 4560	4804	rundll32.exe	98
PID 4560 wrote to memory of 2772	4560	net.exe	100
PID 4560 wrote to memory of 2772	4560	net.exe	100
PID 4560 wrote to memory of 2772	4560	net.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21e297eefb0d199aaae7da5aa9399320_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\21e297eefb0d199aaae7da5aa9399320_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\net.exe
    net stop winss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winss
      4⤵
      PID:612
- - C:\Windows\SysWOW64\net.exe
    net stop OcHealthMon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OcHealthMon
      4⤵
      PID:2772

memory/4804-0-0x0000000010000000-0x00000000100A9000-memory.dmp

Filesize
676KB

Download
memory/4804-1-0x0000000010000000-0x00000000100A9000-memory.dmp

Filesize
676KB

Download
memory/4804-3-0x0000000002E00000-0x0000000002E3A000-memory.dmp

Filesize
232KB

Download
memory/4804-2-0x0000000010000000-0x00000000100A9000-memory.dmp

Filesize
676KB

Download
memory/4804-4-0x000000001006E000-0x00000000100A6000-memory.dmp

Filesize
224KB

Download
memory/4804-5-0x0000000010000000-0x00000000100A9000-memory.dmp

Filesize
676KB

Download
memory/4804-6-0x0000000010000000-0x00000000100A9000-memory.dmp

Filesize
676KB

Download
memory/4804-7-0x0000000010000000-0x00000000100A9000-memory.dmp

Filesize
676KB

Download
memory/4804-8-0x000000001006E000-0x00000000100A6000-memory.dmp

Filesize
224KB

Download