Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:22
Behavioral task
behavioral1
Sample
696f548061df8e9af81046a6bb923a7f_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
696f548061df8e9af81046a6bb923a7f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsArray.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsArray.dll
Resource
win10v2004-20240426-en
General
-
Target
$PLUGINSDIR/nsArray.dll
-
Size
6KB
-
MD5
6206b94f91e92b7f7f72214c438dd414
-
SHA1
09281ee4a76aa7dce016e7476ce33aa74246a0c6
-
SHA256
b15de38c9d72eef3c8ac9336c39debb10edc8e4a26bcc32b319f6ae8c9141380
-
SHA512
502bedef4fe934c74903ea01036fc265b950a8bb4927f6b285926ff53140fa8a78f37bc7e39a8de8ccde0ba6cdf9d0f512379c9fef86ad60192ed4b447c00fd0
-
SSDEEP
96:QVtJ0bb2EKqyp//c6fbQ2Pz9AqgCLAk9F5LeT2b8HIK/O0iRxGQFIfA7gfMxLfA0:QGbQvp3c6/PwCLAk90K8DysQf0M2dja
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral5/memory/1708-1-0x0000000074D80000-0x0000000074D8A000-memory.dmp upx behavioral5/memory/1708-3-0x0000000074D80000-0x0000000074D8A000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1028 1708 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 2328 wrote to memory of 1708 2328 rundll32.exe rundll32.exe PID 1708 wrote to memory of 1028 1708 rundll32.exe WerFault.exe PID 1708 wrote to memory of 1028 1708 rundll32.exe WerFault.exe PID 1708 wrote to memory of 1028 1708 rundll32.exe WerFault.exe PID 1708 wrote to memory of 1028 1708 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 2203⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1708-2-0x0000000074D90000-0x0000000074D9A000-memory.dmpFilesize
40KB
-
memory/1708-1-0x0000000074D80000-0x0000000074D8A000-memory.dmpFilesize
40KB
-
memory/1708-0-0x0000000074D90000-0x0000000074D9A000-memory.dmpFilesize
40KB
-
memory/1708-3-0x0000000074D80000-0x0000000074D8A000-memory.dmpFilesize
40KB
-
memory/1708-5-0x0000000074D90000-0x0000000074D9A000-memory.dmpFilesize
40KB
-
memory/1708-6-0x0000000074D90000-0x0000000074D9A000-memory.dmpFilesize
40KB