Overview
overview
7Static
static
3ffb5f52f72...18.exe
windows7-x64
7ffb5f52f72...18.exe
windows10-2004-x64
7$PLUGINSDIR/7za.exe
windows7-x64
3$PLUGINSDIR/7za.exe
windows10-2004-x64
3$PLUGINSDI...G].exe
windows7-x64
3$PLUGINSDI...G].exe
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
90s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2024 01:49
Static task
static1
Behavioral task
behavioral1
Sample
ffb5f52f726cd6a713e34d88b9e80e5a_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ffb5f52f726cd6a713e34d88b9e80e5a_JaffaCakes118.exe
Resource
win10v2004-20240910-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/7za.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/7za.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/[RANDOM_STRING].exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/[RANDOM_STRING].exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
General
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
acc2b699edfea5bf5aae45aba3a41e96
-
SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2
-
SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
-
SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
SSDEEP
96:M7GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3VI9d0qqyVgNk32E:eKgfwgcr8zylsB49Ud0qJVgNX
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4976 3840 WerFault.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2276 wrote to memory of 3840 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 3840 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 3840 2276 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:3840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 6123⤵
- Program crash
PID:4976
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3840 -ip 38401⤵PID:4352