Analysis
-
max time kernel
90s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 23:16
Static task
static1
Behavioral task
behavioral1
Sample
a9529e72ea3c3b4f0c5dfe1915c17a8a_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a9529e72ea3c3b4f0c5dfe1915c17a8a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/itfd.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/itfd.dll
Resource
win10v2004-20231215-en
General
-
Target
$PLUGINSDIR/itfd.dll
-
Size
42KB
-
MD5
af514b31b839ced67c0907a6569e3495
-
SHA1
ca1c2fd9e815d695ec163cac2d2feb72fa9b0a00
-
SHA256
e5b37e22db2aab4db04417c4b30be841686e2300687d5b3abd8a0456cd144d31
-
SHA512
22920f0365435be0961a33009ab1bff010ab5534553bd9d75e9be30ea588c67ea8ac7be936e4759019cb2a7fa6232fbbb4cef516ab54f68396934f383da52055
-
SSDEEP
768:0t8W+2zCq7jt8fFhCQcFSOzin3WfMGjny8+XY4PscAigP:0t8uzf7RJQcm3Wl+XY40cTgP
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2776 4752 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5112 wrote to memory of 4752 5112 rundll32.exe rundll32.exe PID 5112 wrote to memory of 4752 5112 rundll32.exe rundll32.exe PID 5112 wrote to memory of 4752 5112 rundll32.exe rundll32.exe PID 4752 wrote to memory of 4112 4752 rundll32.exe rundll32.exe PID 4752 wrote to memory of 4112 4752 rundll32.exe rundll32.exe PID 4752 wrote to memory of 4112 4752 rundll32.exe rundll32.exe PID 4752 wrote to memory of 4112 4752 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\itfd.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\itfd.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\itfd.dll,#13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 6563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4752 -ip 47521⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4752-0-0x0000000010000000-0x000000001000D000-memory.dmpFilesize
52KB