faa9a05d0bcbbd0d1e0516a9915c802596185919379f3f2c713939ee466e0bae

Analysis

max time kernel
95s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 06:06

Target

5abf629c57c4708f65b80dc4f3be175a_JaffaCakes118.dll
Size

19KB
MD5

5abf629c57c4708f65b80dc4f3be175a
SHA1

d61fac7fb22a6ce681f9a03354422f7802108e2d
SHA256

faa9a05d0bcbbd0d1e0516a9915c802596185919379f3f2c713939ee466e0bae
SHA512

c0af02b9d3592cdbc4363d6558ecca5f14e450c385f71371544406848fc9c6094af8a15d3d9ca2ccccd565b982f23b98295402e9c9484f41a1392f5b9014b98a
SSDEEP

384:r0eUHWC+hvRi0CI+lkboVpabT/I+5Qn2HDPxS4MoP5N9R+PWA8MPWD:9UHWCEvRiwNbofg/tWGPLxP5Nb1Mw

Score

7^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1680-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 1680	4256	rundll32.exe	86
PID 4256 wrote to memory of 1680	4256	rundll32.exe	86
PID 4256 wrote to memory of 1680	4256	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5abf629c57c4708f65b80dc4f3be175a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5abf629c57c4708f65b80dc4f3be175a_JaffaCakes118.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680

memory/1680-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download