Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 00:23
Static task
static1
Behavioral task
behavioral1
Sample
fdfe8ff817da57526caaf242e7586eae_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
fdfe8ff817da57526caaf242e7586eae_JaffaCakes118.dll
-
Size
88KB
-
MD5
fdfe8ff817da57526caaf242e7586eae
-
SHA1
3ee2d5e3c6ff387dc8bc63255676d21d174f8269
-
SHA256
53f37d0f2845e7fa6a6754113a34bdaeee4f9e9ad7cd364c686452716056d489
-
SHA512
f33b6b90aaee88aba72e13900c7baf8b95fc7dd9c9a2f18517042f4f85ba5dabe2112b36af0e9d3e1ed5f1b05e7fe193e970086d31f80158c76895d82151a0cb
-
SSDEEP
1536:3zjFyusqeIUNZUI3QFWA6ZLGlb+doyE2sOGKx8fIxIL9+G3I+jbRg8SJC:jcdNZfQFWFZalbadrIII9+G4sIC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 2264 rundll32mgr.exe -
Loads dropped DLL 9 IoCs
Processes:
rundll32.exeWerFault.exepid process 1620 rundll32.exe 1620 rundll32.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\win.ini rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2952 2264 WerFault.exe rundll32mgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exedescription pid process target process PID 2188 wrote to memory of 1620 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1620 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1620 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1620 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1620 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1620 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1620 2188 rundll32.exe rundll32.exe PID 1620 wrote to memory of 2264 1620 rundll32.exe rundll32mgr.exe PID 1620 wrote to memory of 2264 1620 rundll32.exe rundll32mgr.exe PID 1620 wrote to memory of 2264 1620 rundll32.exe rundll32mgr.exe PID 1620 wrote to memory of 2264 1620 rundll32.exe rundll32mgr.exe PID 2264 wrote to memory of 2952 2264 rundll32mgr.exe WerFault.exe PID 2264 wrote to memory of 2952 2264 rundll32mgr.exe WerFault.exe PID 2264 wrote to memory of 2952 2264 rundll32mgr.exe WerFault.exe PID 2264 wrote to memory of 2952 2264 rundll32mgr.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fdfe8ff817da57526caaf242e7586eae_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fdfe8ff817da57526caaf242e7586eae_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1004⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
60KB
MD594f2f6ffbba8e7644668b51b39983916
SHA163357bbdf90101969117983dbc0d4ed0e713c4d7
SHA256ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed
SHA512d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156
-
memory/1620-2-0x0000000010000000-0x000000001001B000-memory.dmpFilesize
108KB