yunsip | 41532ef948b3018d78eabdecf71324b052bf9dc2af3199ec73f57da723ea44ee

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 20:17

Target

433139c91fde54ab0ac1559c920f980d_JaffaCakes118.dll
Size

161KB
MD5

433139c91fde54ab0ac1559c920f980d
SHA1

0d090837698384df87f30b543c56b0d2655d5ac8
SHA256

41532ef948b3018d78eabdecf71324b052bf9dc2af3199ec73f57da723ea44ee
SHA512

a821bd6eae140e0dde69eae8914c2bde853023f9c2307c7072bad55f83635f2dd03751a5c7cee48a23e75bb9cf955b6042a148819f4d23536d62e7176eb6a4aa
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0Z:jDgtfRQUHPw06MoV2nwTBlhm8B

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3024	1968	rundll32.exe	30
PID 1968 wrote to memory of 3024	1968	rundll32.exe	30
PID 1968 wrote to memory of 3024	1968	rundll32.exe	30
PID 1968 wrote to memory of 3024	1968	rundll32.exe	30
PID 1968 wrote to memory of 3024	1968	rundll32.exe	30
PID 1968 wrote to memory of 3024	1968	rundll32.exe	30
PID 1968 wrote to memory of 3024	1968	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\433139c91fde54ab0ac1559c920f980d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\433139c91fde54ab0ac1559c920f980d_JaffaCakes118.dll,#1
  2⤵
  PID:3024