yunsip | c33d9c24a68e2f3ad8e1959dd55328e0bd5de397b2b6058a57ed05e2f0f1b649

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 06:32

Target

2b5245375e9352b6dafb17fd3f8c573e_JaffaCakes118.dll
Size

139KB
MD5

2b5245375e9352b6dafb17fd3f8c573e
SHA1

26a0c376e1a806c24c9e41b517ea7681ec3d101e
SHA256

c33d9c24a68e2f3ad8e1959dd55328e0bd5de397b2b6058a57ed05e2f0f1b649
SHA512

ea4b740730f81392fb8c7b5596d7616ce2822859bf1905e85088e199b5d2fc363dfd0bb6e6071b893b604fab04ed0ec0697dbc8718d37c3d7f11e8525e564656
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0Z:jDgtfRQUHPw06MoV2nwTBlhm8B

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 616	892	rundll32.exe	82
PID 892 wrote to memory of 616	892	rundll32.exe	82
PID 892 wrote to memory of 616	892	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b5245375e9352b6dafb17fd3f8c573e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b5245375e9352b6dafb17fd3f8c573e_JaffaCakes118.dll,#1
  2⤵
  PID:616