Overview

overview

10

Static

static

3

593f4c3d29...18.dll

windows7-x64

10

593f4c3d29...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    593f4c3d291e75903b8e30c63a696848_JaffaCakes118.dll

  • Size

    648KB

  • MD5

    593f4c3d291e75903b8e30c63a696848

  • SHA1

    b10e99e3600701312295052df27febc44a587ef4

  • SHA256

    0bce56f1587478cdb44adc1a4b7fa9b58c027ac414fda97bc9c8b5d60098d825

  • SHA512

    31ba7f21c3df68c0f89f440e792ec3153529545c1065b069655d9e1c1ef97b74c7d2cca7c9c077915b8088a75e80d495d1eaf42ce2300b056d0c9852b756985b

  • SSDEEP

    12288:ZXca4e6QwokAzbPzxPI6mFoaR5SAXhnsGs7GyoXery0AbKvuA:Zslem2z7zCXr+jo5Kvu

Score
10/10
hancitor1602_78210hdownloader

Malware Config

Extracted

Family

hancitor

Botnet

1602_78210h

C2

http://eviddinlahal.com/8/forum.php

http://saisepsdrablis.ru/8/forum.php

http://obvionsweyband.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\593f4c3d291e75903b8e30c63a696848_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\593f4c3d291e75903b8e30c63a696848_JaffaCakes118.dll,#1
      2⤵
        PID:1872
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 764
          3⤵
          • Program crash
          PID:2872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1872 -ip 1872
      1⤵
        PID:3452

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1872-0-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1872-1-0x0000000001380000-0x0000000001388000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1872-2-0x0000000002C90000-0x0000000002C9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1872-3-0x0000000000400000-0x00000000004A6000-memory.dmp

        Filesize

        664KB

        Download

      • memory/1872-4-0x0000000001380000-0x0000000001388000-memory.dmp

        Filesize

        32KB

        Download