Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 22:10
Static task
static1
Behavioral task
behavioral1
Sample
04121e7d2071ca3388b0a41f41be5836_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
04121e7d2071ca3388b0a41f41be5836_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
04121e7d2071ca3388b0a41f41be5836_JaffaCakes118.dll
-
Size
2.0MB
-
MD5
04121e7d2071ca3388b0a41f41be5836
-
SHA1
757c7ce8f6d0012b5662e3099e6463f1732a6b92
-
SHA256
cf4fd34eef0d281c6bc7c499dc2447f0d2d6806e4c24d8f72f6f53aba47d0656
-
SHA512
fee9f8b5b716d9c8b9184230753d58dd1df7e85a90f15beecf38ed66c7706e40786ae45291dce07e93d61a42bae2c5607336ca60fdbe8d8ae8429df28288ef31
-
SSDEEP
24576:G7RZDGoF0YYweiqaHa35FebfKcrCJ3qYyC1OpLo13hjvYQ5m3P3O:G9pa35FLXJR7
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2784 1612 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2000 wrote to memory of 1612 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1612 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1612 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1612 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1612 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1612 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1612 2000 rundll32.exe rundll32.exe PID 1612 wrote to memory of 2784 1612 rundll32.exe WerFault.exe PID 1612 wrote to memory of 2784 1612 rundll32.exe WerFault.exe PID 1612 wrote to memory of 2784 1612 rundll32.exe WerFault.exe PID 1612 wrote to memory of 2784 1612 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\04121e7d2071ca3388b0a41f41be5836_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\04121e7d2071ca3388b0a41f41be5836_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 2323⤵
- Program crash
PID:2784