Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 04:22
Behavioral task
behavioral1
Sample
2af5e6f4b27d255a48f06be04c95729c_JaffaCakes118.dll
Resource
win7-20240704-en
1 signatures
150 seconds
General
-
Target
2af5e6f4b27d255a48f06be04c95729c_JaffaCakes118.dll
-
Size
97KB
-
MD5
2af5e6f4b27d255a48f06be04c95729c
-
SHA1
9b0976254c7eb4489f7c53d920b9d1739cee9825
-
SHA256
b5a8c7b21c28b22ed346baadd2bfc01db759136879f80d9172934d59a68077a5
-
SHA512
c81b487841ab959860c19fc2a8d1971ada6e2dad7156f455805f11581412447872ca6bb00dc4c3890fd92917a4419fbcdc8fcbb75135d4621cfa2d1a47231ab8
-
SSDEEP
1536:Y3IyKKnB6qmWBDsxJ1t+SUIcRIcAt5Wfheqj+JSr1Qw3LUx9QYWN:FyvcWBDs/1t96IPtWheqvRQw3LUx9Q5N
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2780-0-0x0000000010000000-0x000000001001D000-memory.dmp family_gh0strat -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4224 wrote to memory of 2780 4224 rundll32.exe 82 PID 4224 wrote to memory of 2780 4224 rundll32.exe 82 PID 4224 wrote to memory of 2780 4224 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2af5e6f4b27d255a48f06be04c95729c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2af5e6f4b27d255a48f06be04c95729c_JaffaCakes118.dll,#12⤵PID:2780
-