a23ce90107a14fe7659b220ed36a43598f95a76bf24ca19b7ade5748d6e14752

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 06:32

Target

408f3d46aa422d6c0d0fcad9e8b90f71_JaffaCakes118.dll
Size

874KB
MD5

408f3d46aa422d6c0d0fcad9e8b90f71
SHA1

66f457495b1a1f6291397b9dd5ba1cdc5b249674
SHA256

a23ce90107a14fe7659b220ed36a43598f95a76bf24ca19b7ade5748d6e14752
SHA512

ebf9fd2b9d0611a00000ce4164e67ea15ee9de64b5796dc5e6588b05312b2ab660a07a1866360646f3aa518992787ab4ddad1991c9d99012136fc9340487ecb9
SSDEEP

24576:nL5/rmRsmDWDPNuFhPvYrpLYHSfcoopooLY9Nu0LjBut:tK5hPILYHSfeY9n3But

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2016	rundll32mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	rundll32.exe
2552	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x000c00000001225f-9.dat	upx
behavioral1/memory/2016-13-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2016-12-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 2552 wrote to memory of 2016	2552	rundll32.exe	31
PID 2552 wrote to memory of 2016	2552	rundll32.exe	31
PID 2552 wrote to memory of 2016	2552	rundll32.exe	31
PID 2552 wrote to memory of 2016	2552	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\408f3d46aa422d6c0d0fcad9e8b90f71_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\408f3d46aa422d6c0d0fcad9e8b90f71_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:2016

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
104KB

MD5
c758e8207cc5315a53302a7709b6f049

SHA1
64b7b5417d23f4404b75de4bc82e682294d7319f

SHA256
f73c54d6623c95f858cf13189d367c9a6f1b652a831f4a79435e2f689cd3cbec

SHA512
65954d5ff43ad8447391f8ea1520f55eba789f0224cc588b58556f58f5d0641181afeec003e970ee20ac0cf8039aebf009ee9d7b839f2cd87ab920d69399d6eb

Download Submit
memory/2016-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2016-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2552-0-0x0000000074D40000-0x0000000074E1E000-memory.dmp

Filesize
888KB

Download
memory/2552-2-0x0000000074C60000-0x0000000074D3E000-memory.dmp

Filesize
888KB

Download
memory/2552-11-0x0000000074D30000-0x0000000074E0E000-memory.dmp

Filesize
888KB

Download
memory/2552-10-0x0000000074D40000-0x0000000074E1E000-memory.dmp

Filesize
888KB

Download
memory/2552-14-0x0000000000270000-0x00000000002CB000-memory.dmp

Filesize
364KB

Download