02419e7d3fc685593534c985fa554b894216d8ba878085586509d146b48deb17

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 17:19

Target

5ce81431c9bbabb0a7465d31071bcc7f_JaffaCakes118.dll
Size

646KB
MD5

5ce81431c9bbabb0a7465d31071bcc7f
SHA1

b041920e99edc52a056f060781895042509d7580
SHA256

02419e7d3fc685593534c985fa554b894216d8ba878085586509d146b48deb17
SHA512

ce8150b699c00324466b0d96488c99aae1f3cb891e941fe30de1cf6142b0d01fe56466cc1677ae38024b0787981c03a7c3ab058797ab751c1254d2fde1b5bd9a
SSDEEP

12288:qE7NiOLg18+1/hv5VEipyz7mTWWa8afR2ftuD1xbmiU3MV5y:qE3+F5GipwuWWpj+HHy

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1804	rundll32mgr.exe

Loads dropped DLL 9 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1292	1804	WerFault.exe	31
2328	1708	WerFault.exe	30

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1708	1732	rundll32.exe	30
PID 1732 wrote to memory of 1708	1732	rundll32.exe	30
PID 1732 wrote to memory of 1708	1732	rundll32.exe	30
PID 1732 wrote to memory of 1708	1732	rundll32.exe	30
PID 1732 wrote to memory of 1708	1732	rundll32.exe	30
PID 1732 wrote to memory of 1708	1732	rundll32.exe	30
PID 1732 wrote to memory of 1708	1732	rundll32.exe	30
PID 1708 wrote to memory of 1804	1708	rundll32.exe	31
PID 1708 wrote to memory of 1804	1708	rundll32.exe	31
PID 1708 wrote to memory of 1804	1708	rundll32.exe	31
PID 1708 wrote to memory of 1804	1708	rundll32.exe	31
PID 1708 wrote to memory of 2328	1708	rundll32.exe	32
PID 1708 wrote to memory of 2328	1708	rundll32.exe	32
PID 1708 wrote to memory of 2328	1708	rundll32.exe	32
PID 1708 wrote to memory of 2328	1708	rundll32.exe	32
PID 1804 wrote to memory of 1292	1804	rundll32mgr.exe	33
PID 1804 wrote to memory of 1292	1804	rundll32mgr.exe	33
PID 1804 wrote to memory of 1292	1804	rundll32mgr.exe	33
PID 1804 wrote to memory of 1292	1804	rundll32mgr.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ce81431c9bbabb0a7465d31071bcc7f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ce81431c9bbabb0a7465d31071bcc7f_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 156
      4⤵
      Loads dropped DLL
      Program crash
      PID:1292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 220
    3⤵
    - Program crash
    PID:2328

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/1708-3-0x00000000746A0000-0x0000000074748000-memory.dmp

Filesize
672KB

Download
memory/1708-9-0x00000000745F0000-0x0000000074698000-memory.dmp

Filesize
672KB

Download
memory/1708-10-0x00000000746A0000-0x0000000074748000-memory.dmp

Filesize
672KB

Download
memory/1708-11-0x00000000745F0000-0x0000000074698000-memory.dmp

Filesize
672KB

Download