9a8de012326c714c11a77d6f43b2bfdb824244f2cf6809f848aba9196bdf0b02

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 09:30

Target

49354f81ebd308831aec1d7adabeeb7d_JaffaCakes118.dll
Size

256KB
MD5

49354f81ebd308831aec1d7adabeeb7d
SHA1

ac96b612e2a66c4d8945fb142bbafac535ddf253
SHA256

9a8de012326c714c11a77d6f43b2bfdb824244f2cf6809f848aba9196bdf0b02
SHA512

e778a85202f4bc568f647ddf41dc74fd80d690d7dd95fd7551315bc004e1d56800b74d4ba5cfa8dd9984b9c9024f8893e65eb3b3cef76e24423da37d3844a0d3
SSDEEP

3072:9dcQ2ZNMSQvbajUTUItjT68+x1qfe5OwVPxEsZbbANOhpeTav9DTlO:dATSOjUQK9e5OwVPxhZQ8hpt1DTlO

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
3044	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x00080000000234f3-3.dat	upx
behavioral2/memory/3044-5-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3044-7-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2260	3044	WerFault.exe	86

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 1188	4464	rundll32.exe	83
PID 4464 wrote to memory of 1188	4464	rundll32.exe	83
PID 4464 wrote to memory of 1188	4464	rundll32.exe	83
PID 1188 wrote to memory of 3044	1188	rundll32.exe	86
PID 1188 wrote to memory of 3044	1188	rundll32.exe	86
PID 1188 wrote to memory of 3044	1188	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49354f81ebd308831aec1d7adabeeb7d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\49354f81ebd308831aec1d7adabeeb7d_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:3044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 264
      4⤵
      Program crash
      PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3044 -ip 3044
1⤵
PID:4160

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
104KB

MD5
84b7783804fa7506672a409e9899c6be

SHA1
2da8a6e9c04662564e18cdf98f73e224a5662533

SHA256
b26a93c17ac6a412c6c191aa6a1543537f3185fe813c24153c6dec736fbad4ef

SHA512
8a867296b05f45dd79ab64b11b6cc0cc8fad835b2f5ba9b8469981cc9b3e15c91f98b688cbe7addfab7ea2bd55a1d475fc853c004afb24be1b5691f8183c897c

Download Submit
memory/1188-1-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/3044-5-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3044-6-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3044-7-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download