2e43e54c3955734a8a49b2334c7636c6c19ebd54ac48f3c9ca147288049cb1f8

Analysis

max time kernel
134s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 20:55

Target

1c7742aeb8aba1feb5b50dffcfb3e05e_JaffaCakes118.dll
Size

503KB
MD5

1c7742aeb8aba1feb5b50dffcfb3e05e
SHA1

623f891f9a7af467ca1e94379022b36241ffba70
SHA256

2e43e54c3955734a8a49b2334c7636c6c19ebd54ac48f3c9ca147288049cb1f8
SHA512

207571d9dd66ba0100e42e7eb49eb02c58c02c916f2acd8c40024ca6d2939747c0d5ee85ec64b54ad63b53c07a74a78f80d7c1e32c1ab6e87f60b8850acce023
SSDEEP

12288:AT7VycY0yDyt5wnfhLYik7rM5rrKve7RcyqX/3:AT7Vyc5yDyt5ifxYr7E/KuRSf

Score

7^/10

VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

behavioral2/memory/4800-0-0x0000000010000000-0x00000000100FC000-memory.dmp vmprotect
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

4800 rundll32.exe

resource	yara_rule
behavioral2/memory/4800-0-0x0000000010000000-0x00000000100FC000-memory.dmp	vmprotect

pid	process
4800	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1656 wrote to memory of 4800	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 4800	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 4800	1656	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c7742aeb8aba1feb5b50dffcfb3e05e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c7742aeb8aba1feb5b50dffcfb3e05e_JaffaCakes118.dll,#1
2⤵
- Suspicious use of SetWindowsHookEx
PID:4800

memory/4800-0-0x0000000010000000-0x00000000100FC000-memory.dmp

Filesize
1008KB

Download