4e4db466b14f795423782b4de4ba244c3e341abcc6ec24d49ddebeb281750c8a

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 19:00

Target

42f1a1846b3d723227f26f6abbe091f6_JaffaCakes118.dll
Size

470KB
MD5

42f1a1846b3d723227f26f6abbe091f6
SHA1

18488fe8933ccf4c21cc24425b35c20bb464af27
SHA256

4e4db466b14f795423782b4de4ba244c3e341abcc6ec24d49ddebeb281750c8a
SHA512

8e2484646589ade46a8c607ad089f6b1d075b67cb06556c7e1c33073788a326ffd877fb36c3acc5ffefe91aa83b4387bde68c39f7b971d90a5df68edbae2b45b
SSDEEP

12288:kzA5lZhy6RpB/6eXMVVLrkwTzCunpKI13YEqWzSwSJQT:kzA5HhRPSeX2VHkuzRnpz1oqSZuT

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1628	rundll32mgr.exe

Loads dropped DLL 9 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1704	1628	WerFault.exe
3068	2552	WerFault.exe	30

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 1700 wrote to memory of 2552	1700	rundll32.exe	30
PID 2552 wrote to memory of 1628	2552	rundll32.exe	31
PID 2552 wrote to memory of 1628	2552	rundll32.exe	31
PID 2552 wrote to memory of 1628	2552	rundll32.exe	31
PID 2552 wrote to memory of 1628	2552	rundll32.exe	31
PID 2552 wrote to memory of 3068	2552	rundll32.exe	33
PID 2552 wrote to memory of 3068	2552	rundll32.exe	33
PID 2552 wrote to memory of 3068	2552	rundll32.exe	33
PID 2552 wrote to memory of 3068	2552	rundll32.exe	33
PID 1628 wrote to memory of 1704	1628	rundll32mgr.exe	32
PID 1628 wrote to memory of 1704	1628	rundll32mgr.exe	32
PID 1628 wrote to memory of 1704	1628	rundll32mgr.exe	32
PID 1628 wrote to memory of 1704	1628	rundll32mgr.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\42f1a1846b3d723227f26f6abbe091f6_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\42f1a1846b3d723227f26f6abbe091f6_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 92
      4⤵
      Loads dropped DLL
      Program crash
      PID:1704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 220
    3⤵
    - Program crash
    PID:3068

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
59KB

MD5
aea1462e5f1f31dd74df7833b5a07305

SHA1
cea53b9b3311f1003df5d9266f9e3fbd5c971f28

SHA256
62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

SHA512
776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

Download Submit
memory/2552-9-0x0000000074D20000-0x0000000074D9C000-memory.dmp

Filesize
496KB

Download
memory/2552-7-0x0000000074DA0000-0x0000000074E1C000-memory.dmp

Filesize
496KB

Download
memory/2552-10-0x0000000074DA0000-0x0000000074E1C000-memory.dmp

Filesize
496KB

Download
memory/2552-11-0x0000000074D10000-0x0000000074D8C000-memory.dmp

Filesize
496KB

Download