a816ca11726dd48e3d822a28917ded7947a1724c9947d12b945cbebd6b220da6

Analysis

max time kernel
128s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 15:47

Target

16942347533e0e7872b64d70e847d040_JaffaCakes118.dll
Size

152KB
MD5

16942347533e0e7872b64d70e847d040
SHA1

0e136c8158ed5b5e766b971570ba4c516f559671
SHA256

a816ca11726dd48e3d822a28917ded7947a1724c9947d12b945cbebd6b220da6
SHA512

4d8631a6c37ce014c8947c0d1e493fd2e080afa8a3d686dd53beb0dd567a38fc5742c2ac18156a519ce25ca45be6099562a0a58d4f9cf405d296b1111904a975
SSDEEP

3072:nD09MaWLOdfPQdYeW2y6FilwffjVA0YaDQ0gl2aHhmhC:RaqOdHQ9vnjj1EmY

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

4384 rundll32mgr.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

C:\Windows\SysWOW64\rundll32mgr.exe upx
behavioral2/memory/4384-5-0x0000000000400000-0x000000000046E000-memory.dmp upx
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3084 2368 WerFault.exe rundll32.exe
3904 4384 WerFault.exe rundll32mgr.exe

pid	process
4384	rundll32mgr.exe

resource	yara_rule
C:\Windows\SysWOW64\rundll32mgr.exe	upx
behavioral2/memory/4384-5-0x0000000000400000-0x000000000046E000-memory.dmp	upx

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
3084	2368	WerFault.exe	rundll32.exe
3904	4384	WerFault.exe	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4540 wrote to memory of 2368	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 2368	4540	rundll32.exe	rundll32.exe
PID 4540 wrote to memory of 2368	4540	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 4384	2368	rundll32.exe	rundll32mgr.exe
PID 2368 wrote to memory of 4384	2368	rundll32.exe	rundll32mgr.exe
PID 2368 wrote to memory of 4384	2368	rundll32.exe	rundll32mgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16942347533e0e7872b64d70e847d040_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 264
4⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 608
3⤵
- Program crash
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2368 -ip 2368
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4384 -ip 4384
1⤵
PID:3444

C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
105KB

MD5
9b49fec7e03c33277f188a2819b8d726

SHA1
a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f

SHA256
9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

SHA512
049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d

Download Submit
memory/2368-4-0x000000006D240000-0x000000006D266000-memory.dmp

Filesize
152KB

Download
memory/4384-6-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/4384-5-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download