Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
73fe142254abec3aeaef375f0564d40a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
73fe142254abec3aeaef375f0564d40a_JaffaCakes118.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/yhjjbtf.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/yhjjbtf.dll
Resource
win10v2004-20240226-en
General
-
Target
$PLUGINSDIR/yhjjbtf.dll
-
Size
33KB
-
MD5
2109a0431e1e8fbce8007bc6dbdc8d2d
-
SHA1
f85d1cfa01ca893063af01510115bc279da84c2a
-
SHA256
520857c7a5bfaeebf0f39504ae85d32b7e153774e93cb2be486f9a5d35b76d05
-
SHA512
a190901c467b65b18370aa3dbec9bb994294042fb78965b6baaf92a31fdc316912679a23f81f76a0d30f51c9c9ccbabcd58b0d420a1c6060508de1f0c0d320fb
-
SSDEEP
384:173rOmBpuRkCafMEILJBJn0GMZEhE7flHeKCB5qktAX6KiAEHpMUK6rbT7:171YiCeIdBMZT7f5eL5XfLzMUKcbX
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4416 2448 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2816 wrote to memory of 2448 2816 rundll32.exe rundll32.exe PID 2816 wrote to memory of 2448 2816 rundll32.exe rundll32.exe PID 2816 wrote to memory of 2448 2816 rundll32.exe rundll32.exe PID 2448 wrote to memory of 4900 2448 rundll32.exe rundll32.exe PID 2448 wrote to memory of 4900 2448 rundll32.exe rundll32.exe PID 2448 wrote to memory of 4900 2448 rundll32.exe rundll32.exe PID 2448 wrote to memory of 4900 2448 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\yhjjbtf.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\yhjjbtf.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\yhjjbtf.dll,#13⤵PID:4900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 7403⤵
- Program crash
PID:4416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2448 -ip 24481⤵PID:2376