d7b13f9abe0996005793e4d3dde1a0405f0b751bb308a1a0d4cb6f93e530d8b7

Analysis

max time kernel
51s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 06:53

Target

192fb6e2bdcde0bda543280379c34c65_JaffaCakes118.dll
Size

152KB
MD5

192fb6e2bdcde0bda543280379c34c65
SHA1

610bbb99cfb943596282f8d036474697249a8fcb
SHA256

d7b13f9abe0996005793e4d3dde1a0405f0b751bb308a1a0d4cb6f93e530d8b7
SHA512

8e382eb7b836c61778417ca81bea5fc4ccd67f788e2e1927e46c6a6f70fdfc66babf3b037e1612586bfcb72643761695f33546f7ef8267bbfb8979d3530cbffc
SSDEEP

3072:lgQ0gIxmmDDpx1QPUhUapVsJfNsyU39nWshV:CgIYnUhbpGTsz35VD

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

2072 rundll32mgr.exe

pid	process
2072	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\rundll32mgr.exe	upx
behavioral2/memory/2072-4-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2072-7-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4232 4564 WerFault.exe rundll32.exe
4840 2072 WerFault.exe rundll32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
4232	4564	WerFault.exe	rundll32.exe
4840	2072	WerFault.exe	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3156 wrote to memory of 4564	3156	rundll32.exe	rundll32.exe
PID 3156 wrote to memory of 4564	3156	rundll32.exe	rundll32.exe
PID 3156 wrote to memory of 4564	3156	rundll32.exe	rundll32.exe
PID 4564 wrote to memory of 2072	4564	rundll32.exe	rundll32mgr.exe
PID 4564 wrote to memory of 2072	4564	rundll32.exe	rundll32mgr.exe
PID 4564 wrote to memory of 2072	4564	rundll32.exe	rundll32mgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\192fb6e2bdcde0bda543280379c34c65_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 268
4⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 608
3⤵
- Program crash
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2072 -ip 2072
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4564 -ip 4564
1⤵
PID:1664

C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
73KB

MD5
23842802587d1c2570eec734a06cc188

SHA1
aecd57ced1f79fa0dcc93076b3254216d08b907f

SHA256
aa94699c1420a0a2c0d07a936fe2acc26cdbb410f7bc47552110504e91b4a8d8

SHA512
80ebdf18eff5b25e4ce2dccb44d5b55a9e377b5b339da3a253679d0a4eb0e6fb57595aabb979014aa4e3d59f8622d4660df763d79d8a813365eff0538c05b1c7

Download Submit
memory/2072-4-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2072-6-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2072-7-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4564-1-0x000000006D430000-0x000000006D458000-memory.dmp

Filesize
160KB

Download
memory/4564-8-0x000000006D430000-0x000000006D458000-memory.dmp

Filesize
160KB

Download