parallax | 2eb6c04c9c64b6e1f3bff890b93808c450f489e936bdfa2dde8ebb4ff229eee9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54532d90ba9844ab2e34d4f37b3c3bd9_JaffaCakes118.dll
Size

3.6MB
MD5

54532d90ba9844ab2e34d4f37b3c3bd9
SHA1

21f7644b0816117149afa02cb2973ff28906e09a
SHA256

2eb6c04c9c64b6e1f3bff890b93808c450f489e936bdfa2dde8ebb4ff229eee9
SHA512

85085e9bf144fbe0d7e152b7af62a698c54d2ba1868607fedb43bb208361464802a1be0172a97f0f13bbd074e0ec30be786565145bdf612185bf70a8a6c18953
SSDEEP

24576:fOM3Wrf85NUD6rkvjsUpqc2/NJzHjUUIGFDPob6nDY7cKunNaun/hBqSGcvzXlJa:fH1Vcujau/h4SGcrQmOrh97TUTRalb

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 17 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1736-10-0x0000000017000000-0x00000000175D2000-memory.dmp	parallax_rat
behavioral2/memory/2712-17-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-30-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-29-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-28-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-27-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-26-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-25-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-24-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-23-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-22-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-21-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-20-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-19-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-16-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-15-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral2/memory/2712-18-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rundll32.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4312	rundll32.exe
1736	notepad.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1736	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 4312	740	rundll32.exe	86
PID 740 wrote to memory of 4312	740	rundll32.exe	86
PID 740 wrote to memory of 4312	740	rundll32.exe	86
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95
PID 4312 wrote to memory of 1736	4312	rundll32.exe	95

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\54532d90ba9844ab2e34d4f37b3c3bd9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\54532d90ba9844ab2e34d4f37b3c3bd9_JaffaCakes118.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Drops file in Windows directory
      PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-8-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/1736-11-0x0000000017000000-0x00000000175D2000-memory.dmp

Filesize
5.8MB

Download
memory/1736-10-0x0000000017000000-0x00000000175D2000-memory.dmp

Filesize
5.8MB

Download
memory/1736-3-0x0000000001080000-0x0000000001082000-memory.dmp

Filesize
8KB

Download
memory/2712-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-14-0x0000000001770000-0x0000000001778000-memory.dmp

Filesize
32KB

Download
memory/2712-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4312-6-0x00000000008A0000-0x00000000008AB000-memory.dmp

Filesize
44KB

Download
memory/4312-0-0x0000000002100000-0x00000000024B3000-memory.dmp

Filesize
3.7MB

Download
memory/4312-1-0x0000000002100000-0x00000000024B3000-memory.dmp

Filesize
3.7MB

Download
memory/4312-2-0x00000000008A0000-0x00000000008AB000-memory.dmp

Filesize
44KB

Download
memory/4312-4-0x0000000002100000-0x00000000024B3000-memory.dmp

Filesize
3.7MB

Download