0ff3c9098a2b336916c3fecaf3d0a90354f6e3332c099f7171c302c572f85dca

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 12:35

Target

3d66b6170badfefb74ff2d1377d5afb3_JaffaCakes118.dll
Size

201KB
MD5

3d66b6170badfefb74ff2d1377d5afb3
SHA1

1212981f325c60a6a7d296929b047c7d74d16776
SHA256

0ff3c9098a2b336916c3fecaf3d0a90354f6e3332c099f7171c302c572f85dca
SHA512

d0f88a91ba58fa04ae883d59617ddcd83d8a654a6248ea3abfe04e88cbf296b25ed4fbafc304cdce2b067d57ebc198922cce99f596635b02ed4b20148ee03153
SSDEEP

6144:bNhusqvH9ylSJI8eCgD8yCish9EfKfys/g+5:hws2918UIshGKfyK

Score

7^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1600-0-0x0000000000400000-0x000000000044E000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	1600	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 1600	672	rundll32.exe	83
PID 672 wrote to memory of 1600	672	rundll32.exe	83
PID 672 wrote to memory of 1600	672	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d66b6170badfefb74ff2d1377d5afb3_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d66b6170badfefb74ff2d1377d5afb3_JaffaCakes118.dll,#1
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 544
    3⤵
    - Program crash
    PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1600 -ip 1600
1⤵
PID:4816

memory/1600-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1600-1-0x0000000002C40000-0x0000000002C55000-memory.dmp

Filesize
84KB

Download