Overview

overview

7

Static

static

3

411838691e...18.dll

windows7-x64

7

411838691e...18.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 17:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    411838691e0159f4d66a5e566c10c2fb_JaffaCakes118.dll

  • Size

    448KB

  • MD5

    411838691e0159f4d66a5e566c10c2fb

  • SHA1

    08e0494fc597127895076bc42bf29e03750df89c

  • SHA256

    2156a83263417bc3b1548692be70bdad2424a09f282a48b242eae8a92ed5ef22

  • SHA512

    24fb01f5e42ff7ef1fae30cc9f37f95772f059e11c287dc34ade6db6b61ae5c6f140add8f944175731cffc2f966247204aa394801ac86cb5e77fc7658c012c5c

  • SSDEEP

    12288:goz83OtIEzW+/m/AyF7bCrO/Ec4WOMDns:dbIEzW+/m/rF7kcZ4WvDns

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\411838691e0159f4d66a5e566c10c2fb_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\411838691e0159f4d66a5e566c10c2fb_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        PID:4100
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 268
          4⤵
          • Program crash
          PID:2192
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 608
        3⤵
        • Program crash
        PID:2280
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4100 -ip 4100
    1⤵
      PID:4464
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3520 -ip 3520
      1⤵
        PID:2304

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\rundll32mgr.exe
              Filesize

              104KB

              MD5

              820d63bce2d38939d98eed99d4a10a3e

              SHA1

              432bf652dd2d3c84c8f15b0f0fc60bef375c688c

              SHA256

              0f6be6c3bbc523cc198e72f11996e630ea3dcf05f302a16559746f1b24795a81

              SHA512

              14e2f56142a34162a94b037e8dac485f68c34c3a8abe0cb7c0f3d27624a715dbb96786ad2eb7aa12d1f569ca3957409c703eae7d2caa6776d8d73fe1a3218168

              Download Submit

            • memory/3520-1-0x000000007C340000-0x000000007C3B1000-memory.dmp

              Filesize

              452KB

              Download

            • memory/3520-8-0x000000007C340000-0x000000007C3B1000-memory.dmp

              Filesize

              452KB

              Download

            • memory/4100-6-0x0000000000570000-0x0000000000571000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4100-5-0x0000000000400000-0x0000000000459000-memory.dmp

              Filesize

              356KB

              Download