Overview

overview

10

Static

static

3

9860c56e94...18.dll

windows7-x64

7

9860c56e94...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9860c56e947f020b8c79d7ebcc8b326c_JaffaCakes118.dll

  • Size

    129KB

  • MD5

    9860c56e947f020b8c79d7ebcc8b326c

  • SHA1

    32a736ebbb446e804860c6a17074bf91916d0ca7

  • SHA256

    ecd6d9aa9c78a8e41be57082eaebc38545fc93bc4cf5ff5a2790df4aa0aecf3d

  • SHA512

    e85817c951c64e413806cacaf3248aab22cbb09b43719114a994c11f4d073bbc15bf0b75cd64e76a0004fd12a829c03a02a0a483ce4f95d1f96926edd9336155

  • SSDEEP

    1536:Tm8pJcJUTG+yLgVMYJT/qlenN5kw65sg4W0HXRdQVrcGhDn/beN5Zlun7/yu6DBf:aggY2cnN5kw65sgr0rurcy/OpsG9Bf

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9860c56e947f020b8c79d7ebcc8b326c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9860c56e947f020b8c79d7ebcc8b326c_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 100
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    60KB

    MD5

    94f2f6ffbba8e7644668b51b39983916

    SHA1

    63357bbdf90101969117983dbc0d4ed0e713c4d7

    SHA256

    ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

    SHA512

    d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

    Download Submit

  • memory/3064-0-0x00000000000B0000-0x00000000000D6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3064-2-0x00000000000B0000-0x00000000000D6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3064-17-0x00000000000B0000-0x00000000000D6000-memory.dmp

    Filesize

    152KB

    Download