1fd56cb53585c16c1b844f9189ef5035ce75ff0031d3df4bf2e13bfa41669964

Analysis

max time kernel
101s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 10:27

Target

6733cad4b67077035333537126c7dbcf_JaffaCakes118.dll
Size

37KB
MD5

6733cad4b67077035333537126c7dbcf
SHA1

1dfa16b1439233ab8b0da9824a9c018b426d4cc9
SHA256

1fd56cb53585c16c1b844f9189ef5035ce75ff0031d3df4bf2e13bfa41669964
SHA512

ceaa012531cde537b8cc270431bf68431e54fa9385f0bd2526a460e780f50476fc5ed58b3a27bd51a761b284e91e729c7781b8217c79f177b9783b6105edc9e5
SSDEEP

768:3c2ABjSfMh7DTDYI1PbjjswnBfmxsyljPzDDvbw:3c2cBvPDjnBfmWyl3

Score

1^/10

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 4848	1040	rundll32.exe	84
PID 1040 wrote to memory of 4848	1040	rundll32.exe	84
PID 1040 wrote to memory of 4848	1040	rundll32.exe	84
PID 4848 wrote to memory of 4612	4848	rundll32.exe	85
PID 4848 wrote to memory of 4612	4848	rundll32.exe	85
PID 4848 wrote to memory of 4612	4848	rundll32.exe	85
PID 4612 wrote to memory of 2200	4612	net.exe	87
PID 4612 wrote to memory of 2200	4612	net.exe	87
PID 4612 wrote to memory of 2200	4612	net.exe	87
PID 4848 wrote to memory of 4604	4848	rundll32.exe	89
PID 4848 wrote to memory of 4604	4848	rundll32.exe	89
PID 4848 wrote to memory of 4604	4848	rundll32.exe	89
PID 4604 wrote to memory of 784	4604	net.exe	91
PID 4604 wrote to memory of 784	4604	net.exe	91
PID 4604 wrote to memory of 784	4604	net.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6733cad4b67077035333537126c7dbcf_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6733cad4b67077035333537126c7dbcf_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\net.exe
    net stop winss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winss
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\net.exe
    net stop OcHealthMon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OcHealthMon
      4⤵
      PID:784

memory/4848-0-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4848-1-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download