Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 04:48
Behavioral task
behavioral1
Sample
4848d974f43834464999457bf79441be_JaffaCakes118.dll
Resource
win7-20240708-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
4848d974f43834464999457bf79441be_JaffaCakes118.dll
Resource
win10v2004-20240709-en
3 signatures
150 seconds
General
-
Target
4848d974f43834464999457bf79441be_JaffaCakes118.dll
-
Size
72KB
-
MD5
4848d974f43834464999457bf79441be
-
SHA1
23c6382d03d2c325b2c07e2079ced1354a4df674
-
SHA256
16b8a5f769825180167b3020cbb4440b8334c3d063035d55b8aa32b7162dedaf
-
SHA512
05fe9e4b11e3eb80e181af64bc285ebd7d60234631ded67f0b8bee1759dd19265503775545cf2d844d05f8114c573c3ca2267f81b2263997cf139fc2781e10f5
-
SSDEEP
1536:6QDIO81Q0E7UJAEvlYuDmjRYPxxrVBj2Ou9f64J2LcMPMVCKBUxFBgp:6yIxE7UJAu9DOoL7m5F2LdkVDBhp
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2396-1-0x0000000010000000-0x0000000010043000-memory.dmp vmprotect behavioral1/memory/2396-0-0x0000000010000000-0x0000000010043000-memory.dmp vmprotect -
Program crash 1 IoCs
pid pid_target Process procid_target 2960 2396 WerFault.exe 31 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1000 wrote to memory of 2396 1000 rundll32.exe 31 PID 1000 wrote to memory of 2396 1000 rundll32.exe 31 PID 1000 wrote to memory of 2396 1000 rundll32.exe 31 PID 1000 wrote to memory of 2396 1000 rundll32.exe 31 PID 1000 wrote to memory of 2396 1000 rundll32.exe 31 PID 1000 wrote to memory of 2396 1000 rundll32.exe 31 PID 1000 wrote to memory of 2396 1000 rundll32.exe 31 PID 2396 wrote to memory of 2960 2396 rundll32.exe 32 PID 2396 wrote to memory of 2960 2396 rundll32.exe 32 PID 2396 wrote to memory of 2960 2396 rundll32.exe 32 PID 2396 wrote to memory of 2960 2396 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4848d974f43834464999457bf79441be_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4848d974f43834464999457bf79441be_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 2283⤵
- Program crash
PID:2960
-
-