nloader | e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a

Analysis

max time kernel
94s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a469d5403003584e71c5e5bdbfc5d4e4_JaffaCakes118.dll
Size

22KB
MD5

a469d5403003584e71c5e5bdbfc5d4e4
SHA1

adf569be634c8bd03cc1948042499545a1bd1996
SHA256

e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a
SHA512

fabdb31756703f80cf168ee43f47e1538b43e02e4f9ac648c852aa7da3b87add8aaad1a08865ff2d8f2f1e48d4122fe7faf67453924885badad63df8c2f4c15a
SSDEEP

384:cbSEIxxeXVaZEFV+PC1oengot1Snb7iniHdbN8S6:cboclamUwoegIq8s5CS

Score

10^/10

nloader discovery loader

Malware Config

Signatures

Nloader
Simple loader that includes the keyword 'campo' in the URL used to download other families.
loader nloader
Nloader family
nloader

Nloader payload 2 IoCs

resource	yara_rule
behavioral2/memory/1340-3-0x0000000000D30000-0x0000000000D35000-memory.dmp	nloader
behavioral2/memory/1340-0-0x0000000010000000-0x0000000010007000-memory.dmp	nloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1340	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2864	1340	WerFault.exe	83
3560	1340	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1340	5004	rundll32.exe	83
PID 5004 wrote to memory of 1340	5004	rundll32.exe	83
PID 5004 wrote to memory of 1340	5004	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a469d5403003584e71c5e5bdbfc5d4e4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a469d5403003584e71c5e5bdbfc5d4e4_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 804
    3⤵
    - Program crash
    PID:2864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 828
    3⤵
    - Program crash
    PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1340 -ip 1340
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1340 -ip 1340
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-3-0x0000000000D30000-0x0000000000D35000-memory.dmp

Filesize
20KB

Download
memory/1340-0-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download