Analysis

  • max time kernel
    134s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 03:33

General

  • Target

    16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll

  • Size

    188KB

  • MD5

    16001725169ca21396b2b16ababbf08a

  • SHA1

    0cf98dae59054dbe17ce52d0a9dca136367c9881

  • SHA256

    d20a579372296b75b32ccf99834bead302951598eb209df5e4e073924cffb875

  • SHA512

    c6e3223d0db321acc07ce9d01df57d06e23d9142e8dad4be02dcc1c247403244d908aad70ef67aa57cb0b5a747fe6f677dd232801593067278793bbb6fcc6013

  • SSDEEP

    3072:4FVd8No9EzfVakCpIUZV+NInROITg2b+lXbqWokZc:4HdEaEzfHOjRO2b+JqWO

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2968
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 264
          4⤵
          • Program crash
          PID:4372
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 608
        3⤵
        • Program crash
        PID:4496
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2968 -ip 2968
    1⤵
      PID:1176
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4956 -ip 4956
      1⤵
        PID:3264

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\rundll32mgr.exe

              Filesize

              145KB

              MD5

              f4334cf7fe43a953091dc12bf138e6b9

              SHA1

              11fd2e978e72ce11f4adbd0099a03b4d62a4bb6b

              SHA256

              65beee6c24cc857cd4c4cff9643b1166acf21a36eba76540681e2fe63ea47a40

              SHA512

              ebfcd45ce20f1a5d0132daac759b2e118c02985636cad32d329643fda1687d2bbb5938c5cf8572f7d31455e6f77ab2f5bbc9052821cb8b9494d66b182e3b40d6

            • memory/2968-5-0x0000000000400000-0x0000000000467000-memory.dmp

              Filesize

              412KB

            • memory/2968-6-0x00000000006D0000-0x00000000006D1000-memory.dmp

              Filesize

              4KB

            • memory/2968-8-0x0000000000400000-0x0000000000467000-memory.dmp

              Filesize

              412KB

            • memory/4956-0-0x000000006D140000-0x000000006D16F000-memory.dmp

              Filesize

              188KB

            • memory/4956-7-0x000000006D140000-0x000000006D16F000-memory.dmp

              Filesize

              188KB