Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 21:20
Static task
static1
Behavioral task
behavioral1
Sample
108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll
-
Size
432KB
-
MD5
108bdf02c9eef1175ea53df02020ac7a
-
SHA1
4a19e66696c5e9a6f53dd5536c3608f9d485f0c9
-
SHA256
a1d33cfc2c83a6b6a7a30966f9b90be161bf62c99879567888432a62a17d27ae
-
SHA512
ca04b04affb68c3e5141504a499c34e7187fbe4dae3dc248d129e6e20f901de5d05f12a2ee5bc813ba2b17dd0d7fe38824e5a49a7eca3391f45399607a726ce5
-
SSDEEP
6144:Hl9XgnzxOP/sFR2h+9q1kih6ibUxrp3/vIyReNMMXUOVEqx4eKhN02DKOMby89VP:HlCzcMg+9YkDiQ3/QjFXUje+hNF4VETK
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2116 rundll32mgr.exe 2948 rundll32mgrmgr.exe -
Loads dropped DLL 18 IoCs
pid Process 2528 rundll32.exe 2528 rundll32.exe 2116 rundll32mgr.exe 2116 rundll32mgr.exe 1928 WerFault.exe 1928 WerFault.exe 1928 WerFault.exe 1928 WerFault.exe 1928 WerFault.exe 1928 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 1928 WerFault.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 2944 2528 WerFault.exe 30 1928 2116 WerFault.exe 2564 2948 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2528 1956 rundll32.exe 30 PID 1956 wrote to memory of 2528 1956 rundll32.exe 30 PID 1956 wrote to memory of 2528 1956 rundll32.exe 30 PID 1956 wrote to memory of 2528 1956 rundll32.exe 30 PID 1956 wrote to memory of 2528 1956 rundll32.exe 30 PID 1956 wrote to memory of 2528 1956 rundll32.exe 30 PID 1956 wrote to memory of 2528 1956 rundll32.exe 30 PID 2528 wrote to memory of 2116 2528 rundll32.exe 31 PID 2528 wrote to memory of 2116 2528 rundll32.exe 31 PID 2528 wrote to memory of 2116 2528 rundll32.exe 31 PID 2528 wrote to memory of 2116 2528 rundll32.exe 31 PID 2116 wrote to memory of 2948 2116 rundll32mgr.exe 33 PID 2116 wrote to memory of 2948 2116 rundll32mgr.exe 33 PID 2116 wrote to memory of 2948 2116 rundll32mgr.exe 33 PID 2116 wrote to memory of 2948 2116 rundll32mgr.exe 33 PID 2116 wrote to memory of 1928 2116 rundll32mgr.exe 34 PID 2116 wrote to memory of 1928 2116 rundll32mgr.exe 34 PID 2116 wrote to memory of 1928 2116 rundll32mgr.exe 34 PID 2116 wrote to memory of 1928 2116 rundll32mgr.exe 34 PID 2528 wrote to memory of 2944 2528 rundll32.exe 32 PID 2528 wrote to memory of 2944 2528 rundll32.exe 32 PID 2528 wrote to memory of 2944 2528 rundll32.exe 32 PID 2528 wrote to memory of 2944 2528 rundll32.exe 32 PID 2948 wrote to memory of 2564 2948 rundll32mgrmgr.exe 35 PID 2948 wrote to memory of 2564 2948 rundll32mgrmgr.exe 35 PID 2948 wrote to memory of 2564 2948 rundll32mgrmgr.exe 35 PID 2948 wrote to memory of 2564 2948 rundll32mgrmgr.exe 35
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1565⤵
- Loads dropped DLL
- Program crash
PID:2564
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1524⤵
- Loads dropped DLL
- Program crash
PID:1928
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 2243⤵
- Program crash
PID:2944
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193KB
MD5b80ba009ada99611fb0f58a874e2a2c6
SHA1233a75da371c7de9d55b6e69a11b1520d4d4758b
SHA256cde713c433fff87c62831354e844a867acd211c14ff314589526ea4488c4b0db
SHA5129097abf9565ed788ab781758a27b5552b0d847fcbb7c6fb8cf312efd6d640bcb0fc79a9798b0ea39a71f3fa126bb366947b33a4b8656c1a0743e33186ac761a2
-
Filesize
95KB
MD56bde351c18bbc50d5131f901df12e0ae
SHA1f6f3aa982d86f8756db87772da94f8d8ad0bbdfe
SHA2561f1b20a143a5cc4d1c103453b7c0f465f6cf1e1ae20425f416480c6fc968d9de
SHA512da954bb740377e5ecbb74f227453ccefc68d0ac55deeb800dd6d3939765b34cfcb46fd3dfff1fea68b5ded09c310409f0d2f628dd2bfe35f20e6d22c321be4dc