Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 04:01
Static task
static1
Behavioral task
behavioral1
Sample
161337d3ffd09408a54f615ee3c1116f_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
161337d3ffd09408a54f615ee3c1116f_JaffaCakes118.dll
-
Size
104KB
-
MD5
161337d3ffd09408a54f615ee3c1116f
-
SHA1
2ce8e4271f993a1611db8084ce3dfb5243f9e71a
-
SHA256
dffdeda62abe601e86fdc4a95d710daa9ce5bdd2b8ebdd9f62fd664f2a3ef032
-
SHA512
84a66703b483d1782e72284cad089d09eb48f349ae5d360ace682eba68f732257e2c2a929df706cb9bacdc947b785031d41408defb62b47ef0a171f8aa2bdfe9
-
SSDEEP
3072:TD09MaWLOdfPQdYeW2URSTmzEuVUP/AytUeGi:laqOdHQoOju+nA0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2356 rundll32mgr.exe -
Loads dropped DLL 9 IoCs
pid Process 2132 rundll32.exe 2132 rundll32.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2232 2132 WerFault.exe 30 2200 2356 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2132 2432 rundll32.exe 30 PID 2432 wrote to memory of 2132 2432 rundll32.exe 30 PID 2432 wrote to memory of 2132 2432 rundll32.exe 30 PID 2432 wrote to memory of 2132 2432 rundll32.exe 30 PID 2432 wrote to memory of 2132 2432 rundll32.exe 30 PID 2432 wrote to memory of 2132 2432 rundll32.exe 30 PID 2432 wrote to memory of 2132 2432 rundll32.exe 30 PID 2132 wrote to memory of 2356 2132 rundll32.exe 31 PID 2132 wrote to memory of 2356 2132 rundll32.exe 31 PID 2132 wrote to memory of 2356 2132 rundll32.exe 31 PID 2132 wrote to memory of 2356 2132 rundll32.exe 31 PID 2356 wrote to memory of 2200 2356 rundll32mgr.exe 33 PID 2356 wrote to memory of 2200 2356 rundll32mgr.exe 33 PID 2356 wrote to memory of 2200 2356 rundll32mgr.exe 33 PID 2356 wrote to memory of 2200 2356 rundll32mgr.exe 33 PID 2132 wrote to memory of 2232 2132 rundll32.exe 32 PID 2132 wrote to memory of 2232 2132 rundll32.exe 32 PID 2132 wrote to memory of 2232 2132 rundll32.exe 32 PID 2132 wrote to memory of 2232 2132 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\161337d3ffd09408a54f615ee3c1116f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\161337d3ffd09408a54f615ee3c1116f_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 924⤵
- Loads dropped DLL
- Program crash
PID:2200
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 2243⤵
- Program crash
PID:2232
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5fba9053e3a7f286a68a072f5d1b57b42
SHA119c4800e8de1e83ff7bf0b96a96563e8430ce9f3
SHA2565675295a26c3839803fd25fb667f2be09c2b6bf3412202a09c3dfc9a46eb4ca4
SHA512ee53bbd9531801df780279da49bd34863513db67fbacbd6b0abb844d02cb76f5e86ed39ad28585b27aa42d3659a8fc9f3d1459f92f81eca970e69bac7c403c64