Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 21:20

General

  • Target

    108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll

  • Size

    432KB

  • MD5

    108bdf02c9eef1175ea53df02020ac7a

  • SHA1

    4a19e66696c5e9a6f53dd5536c3608f9d485f0c9

  • SHA256

    a1d33cfc2c83a6b6a7a30966f9b90be161bf62c99879567888432a62a17d27ae

  • SHA512

    ca04b04affb68c3e5141504a499c34e7187fbe4dae3dc248d129e6e20f901de5d05f12a2ee5bc813ba2b17dd0d7fe38824e5a49a7eca3391f45399607a726ce5

  • SSDEEP

    6144:Hl9XgnzxOP/sFR2h+9q1kih6ibUxrp3/vIyReNMMXUOVEqx4eKhN02DKOMby89VP:HlCzcMg+9YkDiQ3/QjFXUje+hNF4VETK

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 18 IoCs
  • Drops file in System32 directory 2 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 156
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:2564
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 152
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1928
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 224
        3⤵
        • Program crash
        PID:2944

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\rundll32mgr.exe

          Filesize

          193KB

          MD5

          b80ba009ada99611fb0f58a874e2a2c6

          SHA1

          233a75da371c7de9d55b6e69a11b1520d4d4758b

          SHA256

          cde713c433fff87c62831354e844a867acd211c14ff314589526ea4488c4b0db

          SHA512

          9097abf9565ed788ab781758a27b5552b0d847fcbb7c6fb8cf312efd6d640bcb0fc79a9798b0ea39a71f3fa126bb366947b33a4b8656c1a0743e33186ac761a2

        • \Windows\SysWOW64\rundll32mgrmgr.exe

          Filesize

          95KB

          MD5

          6bde351c18bbc50d5131f901df12e0ae

          SHA1

          f6f3aa982d86f8756db87772da94f8d8ad0bbdfe

          SHA256

          1f1b20a143a5cc4d1c103453b7c0f465f6cf1e1ae20425f416480c6fc968d9de

          SHA512

          da954bb740377e5ecbb74f227453ccefc68d0ac55deeb800dd6d3939765b34cfcb46fd3dfff1fea68b5ded09c310409f0d2f628dd2bfe35f20e6d22c321be4dc

        • memory/2116-22-0x00000000000D0000-0x00000000000F3000-memory.dmp

          Filesize

          140KB

        • memory/2116-12-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2116-38-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2528-9-0x00000000752E0000-0x000000007534C000-memory.dmp

          Filesize

          432KB

        • memory/2528-14-0x0000000000270000-0x00000000002AC000-memory.dmp

          Filesize

          240KB

        • memory/2528-11-0x0000000075260000-0x00000000752CC000-memory.dmp

          Filesize

          432KB

        • memory/2528-4-0x0000000075270000-0x00000000752DC000-memory.dmp

          Filesize

          432KB

        • memory/2528-1-0x00000000752E0000-0x000000007534C000-memory.dmp

          Filesize

          432KB

        • memory/2948-23-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2948-39-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB