Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 17:24
Static task
static1
Behavioral task
behavioral1
Sample
0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll
-
Size
96KB
-
MD5
0fd6e7c396063517b9d82be20437cfcf
-
SHA1
0a3cd77a98e869068954fd2d870b2b64382c6f47
-
SHA256
d46734e8a732cf0a28b717dd8dae251a71582314923c9cc4cbbe17b0a46e8c48
-
SHA512
31f633533396ee4bc2231731ceb305249825bdca18c8aeef0ccd00a45f978e6aed00cffcaca0add107346a922f888f6d27fedeb7a1dc232c91638dce68f379ad
-
SSDEEP
1536:i6lIdSDpfArqe2FeEuWR3YvsEnLD34+9Mz0rtbX01oqtAEfM:2dSdf9nusEnnz94iBIoqtAEU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2792 rundll32mgr.exe -
Loads dropped DLL 9 IoCs
pid Process 2448 rundll32.exe 2448 rundll32.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2888 2792 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2448 2096 rundll32.exe 30 PID 2096 wrote to memory of 2448 2096 rundll32.exe 30 PID 2096 wrote to memory of 2448 2096 rundll32.exe 30 PID 2096 wrote to memory of 2448 2096 rundll32.exe 30 PID 2096 wrote to memory of 2448 2096 rundll32.exe 30 PID 2096 wrote to memory of 2448 2096 rundll32.exe 30 PID 2096 wrote to memory of 2448 2096 rundll32.exe 30 PID 2448 wrote to memory of 2792 2448 rundll32.exe 31 PID 2448 wrote to memory of 2792 2448 rundll32.exe 31 PID 2448 wrote to memory of 2792 2448 rundll32.exe 31 PID 2448 wrote to memory of 2792 2448 rundll32.exe 31 PID 2792 wrote to memory of 2888 2792 rundll32mgr.exe 32 PID 2792 wrote to memory of 2888 2792 rundll32mgr.exe 32 PID 2792 wrote to memory of 2888 2792 rundll32mgr.exe 32 PID 2792 wrote to memory of 2888 2792 rundll32mgr.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 924⤵
- Loads dropped DLL
- Program crash
PID:2888
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5cd963c64ad0bea4ca85a4819f6eefed1
SHA1d9cd6316cf3c6ce5ceec9694c2debc7b7981775f
SHA25633c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906
SHA512f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e