Analysis
-
max time kernel
94s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 00:19
Static task
static1
Behavioral task
behavioral1
Sample
f667671bdf5170d3e25e0360817082c9_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
f667671bdf5170d3e25e0360817082c9_JaffaCakes118.dll
-
Size
237KB
-
MD5
f667671bdf5170d3e25e0360817082c9
-
SHA1
a494e7b08af1c47e8eebe41c7d26e53befeda4d7
-
SHA256
ce013942a8e802231ad39f922cdea139ce9a737ac20c1b48517065ce5e40f206
-
SHA512
888473c8a527e441b0b126a84294d523902cc0a57b300f828825901e5558cedef1c73d809e9987ab42c60f6d3c2f1df42fd69542a3634035df1febd2290ceaaf
-
SSDEEP
3072:C+gMajJFHo/W1axo5W1Om0XxZANPIkWVHtXWKn5PMEzhRxfMGAQKKuqCabTJgrqb:PgLH01BGkP0XWQMahR6G9KDqCab1grwz
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 4368 rundll32mgr.exe -
Loads dropped DLL 1 IoCs
pid Process 4368 rundll32mgr.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/memory/4368-5-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4368-6-0x0000000000400000-0x0000000000451000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 4728 4368 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4844 wrote to memory of 612 4844 rundll32.exe 82 PID 4844 wrote to memory of 612 4844 rundll32.exe 82 PID 4844 wrote to memory of 612 4844 rundll32.exe 82 PID 612 wrote to memory of 4368 612 rundll32.exe 83 PID 612 wrote to memory of 4368 612 rundll32.exe 83 PID 612 wrote to memory of 4368 612 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f667671bdf5170d3e25e0360817082c9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f667671bdf5170d3e25e0360817082c9_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 5084⤵
- Program crash
PID:4728
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4368 -ip 43681⤵PID:864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
144KB
MD5609c9eadac4c1cc48b5f89be6c36e276
SHA1f047b565fdb73d5b75ffaed7b2faa335e82b3514
SHA256e982967b3a8613149cd29d659a4b4aa6241ef8e4f124458785220e76e8b18325
SHA512246dab455d7b7661126e79bb9b1b2aee2fee26790b8fde0779d529cfceb295b9df2fb5aca2da1ab3d52f22b4157a46ea8b164e7aa02e842aca2cd27076d85fb5