Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 09:47
Static task
static1
Behavioral task
behavioral1
Sample
fa2e5eec14233d5990a75a46f62d7052_JaffaCakes118.dll
Resource
win7-20240708-en
General
-
Target
fa2e5eec14233d5990a75a46f62d7052_JaffaCakes118.dll
-
Size
272KB
-
MD5
fa2e5eec14233d5990a75a46f62d7052
-
SHA1
938692401180d0858ab42498a2017da4589d21b8
-
SHA256
cfda592ac1958ac76c35369bd9e01bd3902cc0127ce03c97eb73c1ae4b966564
-
SHA512
b4039864c110cd4011a4fd8df8778dd5bfa125762950dde169009aac12ddc27fb48dba8531af811045d041cc27eb32a81843b2aa80fedf12be0f1fd9e6e579a4
-
SSDEEP
6144:CrkYHjIWeWcd71bynznSB3ZOaI4SCxW0Dg:PYHjIWPo71bISqa2SDg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 892 rundll32mgr.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/files/0x00090000000233b9-3.dat upx behavioral2/memory/892-4-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral2/memory/892-7-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Program crash 2 IoCs
pid pid_target Process procid_target 2612 4596 WerFault.exe 82 3824 892 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1052 wrote to memory of 4596 1052 rundll32.exe 82 PID 1052 wrote to memory of 4596 1052 rundll32.exe 82 PID 1052 wrote to memory of 4596 1052 rundll32.exe 82 PID 4596 wrote to memory of 892 4596 rundll32.exe 83 PID 4596 wrote to memory of 892 4596 rundll32.exe 83 PID 4596 wrote to memory of 892 4596 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa2e5eec14233d5990a75a46f62d7052_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa2e5eec14233d5990a75a46f62d7052_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 2564⤵
- Program crash
PID:3824
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 6083⤵
- Program crash
PID:2612
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 892 -ip 8921⤵PID:1920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4596 -ip 45961⤵PID:404
Network
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request23.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD51713dcea0892955ae4ad238bf4b9a34d
SHA1172c10720153e717402654f97ad56516f43705bf
SHA256e4cbc03a8bea10728e756b7187435b3675af2d45ace12e6b6641e44b25d54b23
SHA512e0a0a1ec9e9380bcc1692016dcadb6b794ef13e3a49b9709799c8b281401cd0faa0b63b0aa0fa750820cdec674f7c6e02e259e66cf843975fcbd49e9c1be021c