0584b9a056873bd922f5629122fb8659ac47d1c934d1b998c777b89026749b63

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 09:49

Target

412be09c140e655888a6c3bdab0e9d1e_JaffaCakes118.dll
Size

39KB
MD5

412be09c140e655888a6c3bdab0e9d1e
SHA1

a3ddac2ef92ccde6f6b2ba98fadf5a5a0f7e5be8
SHA256

0584b9a056873bd922f5629122fb8659ac47d1c934d1b998c777b89026749b63
SHA512

7dfc6c0b11d5919158c3221121e726b57d1f18349189583db5c6f6ff2ec8df655ea992a17573fc17ee98ea2ed25fedeb6d51c54f5401425b8311e4e259581285
SSDEEP

768:Rs4ntnElhJyrECzvoR0YkzwkTNHQsriAk+zxKFjWGMg1CR/8cua/V:Rs4nt4h8YCjomwkasriAojWGBCy2

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2900-2-0x0000000010000000-0x000000001001B000-memory.dmp	upx
behavioral1/memory/2900-1-0x0000000010000000-0x000000001001B000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2308	2900	WerFault.exe	30

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2900	3040	rundll32.exe	30
PID 3040 wrote to memory of 2900	3040	rundll32.exe	30
PID 3040 wrote to memory of 2900	3040	rundll32.exe	30
PID 3040 wrote to memory of 2900	3040	rundll32.exe	30
PID 3040 wrote to memory of 2900	3040	rundll32.exe	30
PID 3040 wrote to memory of 2900	3040	rundll32.exe	30
PID 3040 wrote to memory of 2900	3040	rundll32.exe	30
PID 2900 wrote to memory of 2308	2900	rundll32.exe	31
PID 2900 wrote to memory of 2308	2900	rundll32.exe	31
PID 2900 wrote to memory of 2308	2900	rundll32.exe	31
PID 2900 wrote to memory of 2308	2900	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\412be09c140e655888a6c3bdab0e9d1e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\412be09c140e655888a6c3bdab0e9d1e_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 240
    3⤵
    - Program crash
    PID:2308

memory/2900-2-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2900-1-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2900-0-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download