947a2d143a0267d2f1e465be8997fc40ba5c34ee1263997daff0a0a31366076a

Analysis

max time kernel
95s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 09:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3cd95d77eb905fd0ec61354e8b644908_JaffaCakes118.dll
Size

24KB
MD5

3cd95d77eb905fd0ec61354e8b644908
SHA1

841973c459490b1a1a87abb386e5e4d0f2d25922
SHA256

947a2d143a0267d2f1e465be8997fc40ba5c34ee1263997daff0a0a31366076a
SHA512

7832513717ad308d3b08c9b1b7a49eaa0d2350b87b18678255faef6414c178f259a308f91696d8aa685a15cf6277248c5350071e8bdd7e0557ada9e60ee67c28
SSDEEP

768:PJ5zdDBFfYomnnx2ZWUTRNe5FRXyWI1Dt32xX:PjHaomnnQpNebRXZODtmx

Score

6^/10

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2612	536	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 536	1652	rundll32.exe	83
PID 1652 wrote to memory of 536	1652	rundll32.exe	83
PID 1652 wrote to memory of 536	1652	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3cd95d77eb905fd0ec61354e8b644908_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3cd95d77eb905fd0ec61354e8b644908_JaffaCakes118.dll,#1
  2⤵
  - Maps connected drives based on registry
  PID:536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 628
    3⤵
    - Program crash
    PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 536 -ip 536
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-0-0x0000000013142000-0x0000000013145000-memory.dmp

Filesize
12KB

Download
memory/536-1-0x0000000013145000-0x0000000013146000-memory.dmp

Filesize
4KB

Download