Analysis
-
max time kernel
90s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 21:33
Static task
static1
Behavioral task
behavioral1
Sample
97bc9fc82cdd0607f0bd1e83622b80ba_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
97bc9fc82cdd0607f0bd1e83622b80ba_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nrxdd.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nrxdd.dll
Resource
win10v2004-20231215-en
General
-
Target
$PLUGINSDIR/nrxdd.dll
-
Size
42KB
-
MD5
5a5c717c752014c115f8cd5269d09230
-
SHA1
9e98b8f7fc33c2a635b7fafae816e70a991db637
-
SHA256
bbd19853959f6a7e000b9bd1880416753f9129294efc7b5eba835891b4034459
-
SHA512
350f82e6eda8687197d911cddd6d84f734e77f63d538062c49298076db297907643f8771544000d4697d5c3f3995b488ef787a5ba132c89f6b2fba6b5be9a361
-
SSDEEP
768:fAidP+QzDl79yqZw0yAkKjGZbjtY7xgUnNfzyX6ZAunOVfG2WgkhRw:fAMWQzh7kqfkRtY1gQ06ZAumkM
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4756 4112 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5088 wrote to memory of 4112 5088 rundll32.exe rundll32.exe PID 5088 wrote to memory of 4112 5088 rundll32.exe rundll32.exe PID 5088 wrote to memory of 4112 5088 rundll32.exe rundll32.exe PID 4112 wrote to memory of 2636 4112 rundll32.exe rundll32.exe PID 4112 wrote to memory of 2636 4112 rundll32.exe rundll32.exe PID 4112 wrote to memory of 2636 4112 rundll32.exe rundll32.exe PID 4112 wrote to memory of 2636 4112 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nrxdd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nrxdd.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nrxdd.dll,#13⤵PID:2636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 6763⤵
- Program crash
PID:4756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4112 -ip 41121⤵PID:3628