15b140103e0ae309e971e6cbf60cc369a4d04e504009bbb4f64f8a5b8291b70f

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 04:59

Target

29befbc6c8f7f6405dbeb5b3641ecda1_JaffaCakes118.dll
Size

204KB
MD5

29befbc6c8f7f6405dbeb5b3641ecda1
SHA1

126d09b5f0ce20e8641d962c4cd2d317cd7f3559
SHA256

15b140103e0ae309e971e6cbf60cc369a4d04e504009bbb4f64f8a5b8291b70f
SHA512

3ccf021cb95651a203a087c2f789134aa73eb429d6a28ed193952033748e4f31ee390146d1df682fa8226c4c6c75a9ddc0bf4f7911e79363bfa989f13237a684
SSDEEP

3072:6Fr/n5sE+9oWcexATaggljmeIK3BpeIFciV3jU4nEvlTaPxpg0Vi8KGLYoLW:AEoWcoSIKIFc0N4kEc1ny

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2844	rundll32mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	rundll32.exe
3060	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x00090000000120fa-2.dat	upx
behavioral1/memory/2844-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2844-11-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2788	3060	WerFault.exe	30

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 3060	2404	rundll32.exe	30
PID 2404 wrote to memory of 3060	2404	rundll32.exe	30
PID 2404 wrote to memory of 3060	2404	rundll32.exe	30
PID 2404 wrote to memory of 3060	2404	rundll32.exe	30
PID 2404 wrote to memory of 3060	2404	rundll32.exe	30
PID 2404 wrote to memory of 3060	2404	rundll32.exe	30
PID 2404 wrote to memory of 3060	2404	rundll32.exe	30
PID 3060 wrote to memory of 2844	3060	rundll32.exe	31
PID 3060 wrote to memory of 2844	3060	rundll32.exe	31
PID 3060 wrote to memory of 2844	3060	rundll32.exe	31
PID 3060 wrote to memory of 2844	3060	rundll32.exe	31
PID 3060 wrote to memory of 2788	3060	rundll32.exe	32
PID 3060 wrote to memory of 2788	3060	rundll32.exe	32
PID 3060 wrote to memory of 2788	3060	rundll32.exe	32
PID 3060 wrote to memory of 2788	3060	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29befbc6c8f7f6405dbeb5b3641ecda1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\29befbc6c8f7f6405dbeb5b3641ecda1_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 224
    3⤵
    - Program crash
    PID:2788

\Windows\SysWOW64\rundll32mgr.exe

Filesize
103KB

MD5
39ba7f790512d1af40cc864189175cb7

SHA1
da5f35bed908b1a0d08b7639d76cf2d711789e29

SHA256
b7bf5c2afcbb6f664966c7b2cd72ac8cc26f95199ff49a490550858e83a91e75

SHA512
0b59b197cf1123bacd7badb5b359ec17c45d99e297893a28b5130a724d6ba12465f361d7872ab3ebc527ae317735c1182d3d71bcd53b4773dbca3cd82ea1d76e

Download Submit
memory/2844-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2844-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3060-1-0x000000006D350000-0x000000006D385000-memory.dmp

Filesize
212KB

Download
memory/3060-9-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3060-8-0x000000006D350000-0x000000006D385000-memory.dmp

Filesize
212KB

Download
memory/3060-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download