Analysis
-
max time kernel
134s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 03:33
Static task
static1
Behavioral task
behavioral1
Sample
16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll
-
Size
188KB
-
MD5
16001725169ca21396b2b16ababbf08a
-
SHA1
0cf98dae59054dbe17ce52d0a9dca136367c9881
-
SHA256
d20a579372296b75b32ccf99834bead302951598eb209df5e4e073924cffb875
-
SHA512
c6e3223d0db321acc07ce9d01df57d06e23d9142e8dad4be02dcc1c247403244d908aad70ef67aa57cb0b5a747fe6f677dd232801593067278793bbb6fcc6013
-
SSDEEP
3072:4FVd8No9EzfVakCpIUZV+NInROITg2b+lXbqWokZc:4HdEaEzfHOjRO2b+JqWO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2968 rundll32mgr.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/files/0x000a000000023bd5-3.dat upx behavioral2/memory/2968-5-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral2/memory/2968-8-0x0000000000400000-0x0000000000467000-memory.dmp upx -
Program crash 2 IoCs
pid pid_target Process procid_target 4372 2968 WerFault.exe 84 4496 4956 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1400 wrote to memory of 4956 1400 rundll32.exe 83 PID 1400 wrote to memory of 4956 1400 rundll32.exe 83 PID 1400 wrote to memory of 4956 1400 rundll32.exe 83 PID 4956 wrote to memory of 2968 4956 rundll32.exe 84 PID 4956 wrote to memory of 2968 4956 rundll32.exe 84 PID 4956 wrote to memory of 2968 4956 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 2644⤵
- Program crash
PID:4372
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 6083⤵
- Program crash
PID:4496
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2968 -ip 29681⤵PID:1176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4956 -ip 49561⤵PID:3264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145KB
MD5f4334cf7fe43a953091dc12bf138e6b9
SHA111fd2e978e72ce11f4adbd0099a03b4d62a4bb6b
SHA25665beee6c24cc857cd4c4cff9643b1166acf21a36eba76540681e2fe63ea47a40
SHA512ebfcd45ce20f1a5d0132daac759b2e118c02985636cad32d329643fda1687d2bbb5938c5cf8572f7d31455e6f77ab2f5bbc9052821cb8b9494d66b182e3b40d6