Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 17:24

General

  • Target

    0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll

  • Size

    96KB

  • MD5

    0fd6e7c396063517b9d82be20437cfcf

  • SHA1

    0a3cd77a98e869068954fd2d870b2b64382c6f47

  • SHA256

    d46734e8a732cf0a28b717dd8dae251a71582314923c9cc4cbbe17b0a46e8c48

  • SHA512

    31f633533396ee4bc2231731ceb305249825bdca18c8aeef0ccd00a45f978e6aed00cffcaca0add107346a922f888f6d27fedeb7a1dc232c91638dce68f379ad

  • SSDEEP

    1536:i6lIdSDpfArqe2FeEuWR3YvsEnLD34+9Mz0rtbX01oqtAEfM:2dSdf9nusEnnz94iBIoqtAEU

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 92
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2888

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Windows\SysWOW64\rundll32mgr.exe

          Filesize

          60KB

          MD5

          cd963c64ad0bea4ca85a4819f6eefed1

          SHA1

          d9cd6316cf3c6ce5ceec9694c2debc7b7981775f

          SHA256

          33c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906

          SHA512

          f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e

        • memory/2448-3-0x000000006D180000-0x000000006D198000-memory.dmp

          Filesize

          96KB

        • memory/2448-1-0x000000006D180000-0x000000006D198000-memory.dmp

          Filesize

          96KB

        • memory/2448-0-0x000000006D180000-0x000000006D198000-memory.dmp

          Filesize

          96KB