719ccc6adde36900dea84188f6556181e2fae12418c55ac3e24093b403190767

Analysis

max time kernel
12s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 03:31

Target

441e3a4bc788dedf60588c7d99dd60d4_JaffaCakes118.dll
Size

124KB
MD5

441e3a4bc788dedf60588c7d99dd60d4
SHA1

ca09b2912f4bc08ee232bfaf59da965be29f1435
SHA256

719ccc6adde36900dea84188f6556181e2fae12418c55ac3e24093b403190767
SHA512

94791332f737b40762dea2a211ad22f448246c13add30845e9c922e4f50c18fb4df18a13dbb9e835d6307a9643e26e4fa27fb78279a9e7c8d5dac1b1c34e549b
SSDEEP

3072:Z61Ye3TaEu2CoCcn3zO7A4D8XHqhpiNeiIi+l1UUzGh0wf:ATa12CoCckAe8iicx6mGl

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
888	rundll32mgr.exe

Loads dropped DLL 9 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2464	2504	WerFault.exe	29
2444	888	WerFault.exe	30

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2504	2548	rundll32.exe	29
PID 2548 wrote to memory of 2504	2548	rundll32.exe	29
PID 2548 wrote to memory of 2504	2548	rundll32.exe	29
PID 2548 wrote to memory of 2504	2548	rundll32.exe	29
PID 2548 wrote to memory of 2504	2548	rundll32.exe	29
PID 2548 wrote to memory of 2504	2548	rundll32.exe	29
PID 2548 wrote to memory of 2504	2548	rundll32.exe	29
PID 2504 wrote to memory of 888	2504	rundll32.exe	30
PID 2504 wrote to memory of 888	2504	rundll32.exe	30
PID 2504 wrote to memory of 888	2504	rundll32.exe	30
PID 2504 wrote to memory of 888	2504	rundll32.exe	30
PID 888 wrote to memory of 2444	888	rundll32mgr.exe	32
PID 888 wrote to memory of 2444	888	rundll32mgr.exe	32
PID 888 wrote to memory of 2444	888	rundll32mgr.exe	32
PID 888 wrote to memory of 2444	888	rundll32mgr.exe	32
PID 2504 wrote to memory of 2464	2504	rundll32.exe	31
PID 2504 wrote to memory of 2464	2504	rundll32.exe	31
PID 2504 wrote to memory of 2464	2504	rundll32.exe	31
PID 2504 wrote to memory of 2464	2504	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\441e3a4bc788dedf60588c7d99dd60d4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\441e3a4bc788dedf60588c7d99dd60d4_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 156
      4⤵
      Loads dropped DLL
      Program crash
      PID:2444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 228
    3⤵
    - Program crash
    PID:2464

\Windows\SysWOW64\rundll32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/2504-1-0x000000006D100000-0x000000006D11F000-memory.dmp

Filesize
124KB

Download