0e489fcb91110754fac1bc1f80f9e1091c9983629bdb4348b926ce8e1232ae98

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 04:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bef39d4787d31bc2d198d71421a3909_JaffaCakes118.dll
Size

96KB
MD5

3bef39d4787d31bc2d198d71421a3909
SHA1

2debe058c9220341df80efab9f281d8f29153423
SHA256

0e489fcb91110754fac1bc1f80f9e1091c9983629bdb4348b926ce8e1232ae98
SHA512

a0325b2c171004b71876d9f9daa8e28d8f5e4613bbaafe2874106655aef6bbed8193618389c3cbef6b100e45a0d5d9e6708c93b29242d7867c9a1531de5ed46f
SSDEEP

3072:W44eYhg3IeJHxkJMH/wWipXKyihFABD4ypnu:b447jxKBD4yRu

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2512	2636	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 2636	3364	rundll32.exe	83
PID 3364 wrote to memory of 2636	3364	rundll32.exe	83
PID 3364 wrote to memory of 2636	3364	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bef39d4787d31bc2d198d71421a3909_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bef39d4787d31bc2d198d71421a3909_JaffaCakes118.dll,#1
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 544
    3⤵
    - Program crash
    PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2636 -ip 2636
1⤵
PID:4860

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b94ce1b8aef248028cba8f4e001b5346&localId=w:7F54B7CC-A139-0C44-079B-F8E35781E681&deviceId=6825836757805329&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b94ce1b8aef248028cba8f4e001b5346&localId=w:7F54B7CC-A139-0C44-079B-F8E35781E681&deviceId=6825836757805329&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3089F20B31496DF83CC5E6B130F26C80; domain=.bing.com; expires=Wed, 06-Aug-2025 04:08:32 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E2598F3DFAF54B2C96850BF7A59B9733 Ref B: LON04EDGE0917 Ref C: 2024-07-12T04:08:32Z
date: Fri, 12 Jul 2024 04:08:31 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b94ce1b8aef248028cba8f4e001b5346&localId=w:7F54B7CC-A139-0C44-079B-F8E35781E681&deviceId=6825836757805329&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b94ce1b8aef248028cba8f4e001b5346&localId=w:7F54B7CC-A139-0C44-079B-F8E35781E681&deviceId=6825836757805329&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3089F20B31496DF83CC5E6B130F26C80

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=w0YQGQ3LAmHX0G9YMz22vnm3C44BNTYY5e00mA_jvdo; domain=.bing.com; expires=Wed, 06-Aug-2025 04:08:32 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 35D8B33636CB4D71A80172B12F171F90 Ref B: LON04EDGE0917 Ref C: 2024-07-12T04:08:32Z
date: Fri, 12 Jul 2024 04:08:32 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b94ce1b8aef248028cba8f4e001b5346&localId=w:7F54B7CC-A139-0C44-079B-F8E35781E681&deviceId=6825836757805329&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b94ce1b8aef248028cba8f4e001b5346&localId=w:7F54B7CC-A139-0C44-079B-F8E35781E681&deviceId=6825836757805329&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3089F20B31496DF83CC5E6B130F26C80; MSPTC=w0YQGQ3LAmHX0G9YMz22vnm3C44BNTYY5e00mA_jvdo

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9475D844C8134BBA90DBF7CE1F101C79 Ref B: LON04EDGE0917 Ref C: 2024-07-12T04:08:32Z
date: Fri, 12 Jul 2024 04:08:32 GMT
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

240.143.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.143.123.92.in-addr.arpa

IN PTR

Response

240.143.123.92.in-addr.arpa

IN PTR

a92-123-143-240deploystaticakamaitechnologiescom
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response

13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b94ce1b8aef248028cba8f4e001b5346&localId=w:7F54B7CC-A139-0C44-079B-F8E35781E681&deviceId=6825836757805329&anid=

tls, http2

2.0kB
9.3kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b94ce1b8aef248028cba8f4e001b5346&localId=w:7F54B7CC-A139-0C44-079B-F8E35781E681&deviceId=6825836757805329&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b94ce1b8aef248028cba8f4e001b5346&localId=w:7F54B7CC-A139-0C44-079B-F8E35781E681&deviceId=6825836757805329&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b94ce1b8aef248028cba8f4e001b5346&localId=w:7F54B7CC-A139-0C44-079B-F8E35781E681&deviceId=6825836757805329&anid=

HTTP Response

204

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

240.143.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

240.143.123.92.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2636-0-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.