a23ce90107a14fe7659b220ed36a43598f95a76bf24ca19b7ade5748d6e14752

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 06:32

Target

408f3d46aa422d6c0d0fcad9e8b90f71_JaffaCakes118.dll
Size

874KB
MD5

408f3d46aa422d6c0d0fcad9e8b90f71
SHA1

66f457495b1a1f6291397b9dd5ba1cdc5b249674
SHA256

a23ce90107a14fe7659b220ed36a43598f95a76bf24ca19b7ade5748d6e14752
SHA512

ebf9fd2b9d0611a00000ce4164e67ea15ee9de64b5796dc5e6588b05312b2ab660a07a1866360646f3aa518992787ab4ddad1991c9d99012136fc9340487ecb9
SSDEEP

24576:nL5/rmRsmDWDPNuFhPvYrpLYHSfcoopooLY9Nu0LjBut:tK5hPILYHSfeY9n3But

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4700	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0009000000023478-3.dat	upx
behavioral2/memory/4700-5-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4700-7-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2892	4700	WerFault.exe	87

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4792	4492	rundll32.exe	85
PID 4492 wrote to memory of 4792	4492	rundll32.exe	85
PID 4492 wrote to memory of 4792	4492	rundll32.exe	85
PID 4792 wrote to memory of 4700	4792	rundll32.exe	87
PID 4792 wrote to memory of 4700	4792	rundll32.exe	87
PID 4792 wrote to memory of 4700	4792	rundll32.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\408f3d46aa422d6c0d0fcad9e8b90f71_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\408f3d46aa422d6c0d0fcad9e8b90f71_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 260
      4⤵
      Program crash
      PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4700 -ip 4700
1⤵
PID:2480

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
104KB

MD5
c758e8207cc5315a53302a7709b6f049

SHA1
64b7b5417d23f4404b75de4bc82e682294d7319f

SHA256
f73c54d6623c95f858cf13189d367c9a6f1b652a831f4a79435e2f689cd3cbec

SHA512
65954d5ff43ad8447391f8ea1520f55eba789f0224cc588b58556f58f5d0641181afeec003e970ee20ac0cf8039aebf009ee9d7b839f2cd87ab920d69399d6eb

Download Submit
memory/4700-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4700-6-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4700-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4792-0-0x0000000074E40000-0x0000000074F1E000-memory.dmp

Filesize
888KB

Download