d4277bd7bc4654d4c0b7ca5c74894e1ba75cc7612ac1129d0441132ce6ace8e0

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 01:59

Target

2440921d6d97837e32085d92db769167_JaffaCakes118.exe
Size

23KB
MD5

2440921d6d97837e32085d92db769167
SHA1

ea835f34cebc49676b6223dfd4812e5b7bbf7655
SHA256

d4277bd7bc4654d4c0b7ca5c74894e1ba75cc7612ac1129d0441132ce6ace8e0
SHA512

aba091b2cdc4cacfa7eeeee712ac510a97e5ed1ec61e53c6b9a17883864ceedcff29e783e7052a50c916867d5b72f8bd59db4c25c89973eb6f3a2c254819ae88
SSDEEP

384:/T4d8WgztszLLHOwZrxNNHXqbvlsrtJ1wg+s5/x56A+AsjpItnaNJawcudoD7UJ1:kdCztszLioJXglshF75/x56QWnbcuyDw

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
3272	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
3272	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1404-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1404-21-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\1003.dll	2440921d6d97837e32085d92db769167_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsXpDat.dll	2440921d6d97837e32085d92db769167_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsXpDat.dll	2440921d6d97837e32085d92db769167_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\system.ini	2440921d6d97837e32085d92db769167_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\New.dll	2440921d6d97837e32085d92db769167_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\New.dll	2440921d6d97837e32085d92db769167_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\1003.dll	2440921d6d97837e32085d92db769167_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4356	1404	2440921d6d97837e32085d92db769167_JaffaCakes118.exe	89
PID 1404 wrote to memory of 4356	1404	2440921d6d97837e32085d92db769167_JaffaCakes118.exe	89
PID 1404 wrote to memory of 4356	1404	2440921d6d97837e32085d92db769167_JaffaCakes118.exe	89
PID 4356 wrote to memory of 3272	4356	cmd.exe	91
PID 4356 wrote to memory of 3272	4356	cmd.exe	91
PID 4356 wrote to memory of 3272	4356	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\n04d.dll

Filesize
26KB

MD5
e6c8801074e1110976061c9306cd8ba8

SHA1
927443a0400f42a7e708726e43acde676f254250

SHA256
e1c0bb46cd92f904d8fe07f8f4b12782783cab5af0f2b52d76660d3607d1d3a3

SHA512
4c10d713118280c1ed3ef88c9f74e59ff9ed50ce870b8a29d44c324d6c8efc365d74b2d70b1faac107e34f46d226c5bd4c3e3c251e6d77ba88b92570886f11e9

Download Submit
memory/1404-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1404-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download