16b8a5f769825180167b3020cbb4440b8334c3d063035d55b8aa32b7162dedaf

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 04:48

Target

4848d974f43834464999457bf79441be_JaffaCakes118.dll
Size

72KB
MD5

4848d974f43834464999457bf79441be
SHA1

23c6382d03d2c325b2c07e2079ced1354a4df674
SHA256

16b8a5f769825180167b3020cbb4440b8334c3d063035d55b8aa32b7162dedaf
SHA512

05fe9e4b11e3eb80e181af64bc285ebd7d60234631ded67f0b8bee1759dd19265503775545cf2d844d05f8114c573c3ca2267f81b2263997cf139fc2781e10f5
SSDEEP

1536:6QDIO81Q0E7UJAEvlYuDmjRYPxxrVBj2Ou9f64J2LcMPMVCKBUxFBgp:6yIxE7UJAu9DOoL7m5F2LdkVDBhp

Score

7^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/2396-1-0x0000000010000000-0x0000000010043000-memory.dmp	vmprotect
behavioral1/memory/2396-0-0x0000000010000000-0x0000000010043000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2960	2396	WerFault.exe	31

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 2396	1000	rundll32.exe	31
PID 1000 wrote to memory of 2396	1000	rundll32.exe	31
PID 1000 wrote to memory of 2396	1000	rundll32.exe	31
PID 1000 wrote to memory of 2396	1000	rundll32.exe	31
PID 1000 wrote to memory of 2396	1000	rundll32.exe	31
PID 1000 wrote to memory of 2396	1000	rundll32.exe	31
PID 1000 wrote to memory of 2396	1000	rundll32.exe	31
PID 2396 wrote to memory of 2960	2396	rundll32.exe	32
PID 2396 wrote to memory of 2960	2396	rundll32.exe	32
PID 2396 wrote to memory of 2960	2396	rundll32.exe	32
PID 2396 wrote to memory of 2960	2396	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4848d974f43834464999457bf79441be_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4848d974f43834464999457bf79441be_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 228
    3⤵
    - Program crash
    PID:2960

memory/2396-2-0x0000000010031000-0x0000000010032000-memory.dmp

Filesize
4KB

Download
memory/2396-1-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/2396-0-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download