54052bdd3041faa0dbe9cef4882de210b9fde9b29660c7187fdfdba41d423eab

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 14:59

Target

5c6f730ffac2ba15f44505645e9f318e_JaffaCakes118.dll
Size

36KB
MD5

5c6f730ffac2ba15f44505645e9f318e
SHA1

be1a4615327ae7f7183d296fed27bf46d7f14801
SHA256

54052bdd3041faa0dbe9cef4882de210b9fde9b29660c7187fdfdba41d423eab
SHA512

5ca7bfec7e8eea13341758f8683e88007ae3f2932da031841ead277782858878299e1ab9024af73e904df7aae23b0ea1e1387bc89ab4545472fae916ab2c6fd5
SSDEEP

768:nlj0IMbsgC3n31yF6/xu08sWq5lpxSAK:nlYEgC331I6/xPiupwt

Score

1^/10

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2060	2536	rundll32.exe	86
PID 2536 wrote to memory of 2060	2536	rundll32.exe	86
PID 2536 wrote to memory of 2060	2536	rundll32.exe	86
PID 2060 wrote to memory of 1992	2060	rundll32.exe	88
PID 2060 wrote to memory of 1992	2060	rundll32.exe	88
PID 2060 wrote to memory of 1992	2060	rundll32.exe	88
PID 1992 wrote to memory of 1928	1992	net.exe	90
PID 1992 wrote to memory of 1928	1992	net.exe	90
PID 1992 wrote to memory of 1928	1992	net.exe	90
PID 2060 wrote to memory of 1712	2060	rundll32.exe	92
PID 2060 wrote to memory of 1712	2060	rundll32.exe	92
PID 2060 wrote to memory of 1712	2060	rundll32.exe	92
PID 1712 wrote to memory of 4072	1712	net.exe	94
PID 1712 wrote to memory of 4072	1712	net.exe	94
PID 1712 wrote to memory of 4072	1712	net.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c6f730ffac2ba15f44505645e9f318e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c6f730ffac2ba15f44505645e9f318e_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\net.exe
    net stop winss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winss
      4⤵
      PID:1928
- - C:\Windows\SysWOW64\net.exe
    net stop OcHealthMon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OcHealthMon
      4⤵
      PID:4072

memory/2060-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2060-1-0x0000000000620000-0x0000000000625000-memory.dmp

Filesize
20KB

Download
memory/2060-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download