Analysis
-
max time kernel
93s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
f74bd8aec3f00c549c97c61e57e0a5dd_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
f74bd8aec3f00c549c97c61e57e0a5dd_JaffaCakes118.dll
-
Size
192KB
-
MD5
f74bd8aec3f00c549c97c61e57e0a5dd
-
SHA1
20a587e202ef94ca5bbad5a5b9227a70b0f85b70
-
SHA256
fc6f41e774a9f8c8333fe856208c94921e503050d2940e1ce5accbb44ad8b80a
-
SHA512
ff7e54758a993825ede42f1a001129c088b49f44bfd4f8362ff3717794288c079b0c4713af92a0cb0a8c56a7d006a1714d6d6acd99e51c879ad4cf321f0a0448
-
SSDEEP
3072:Fh9zru102aidEwKsBIjucV6X6Gk50Ro6hNvJmkXUfpVq18aqe:vFL2aimsjO0y6hFibq18Re
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 3780 rundll32mgr.exe -
Loads dropped DLL 1 IoCs
pid Process 3780 rundll32mgr.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/memory/3780-10-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 5080 3780 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 548 wrote to memory of 4508 548 rundll32.exe 82 PID 548 wrote to memory of 4508 548 rundll32.exe 82 PID 548 wrote to memory of 4508 548 rundll32.exe 82 PID 4508 wrote to memory of 3780 4508 rundll32.exe 83 PID 4508 wrote to memory of 3780 4508 rundll32.exe 83 PID 4508 wrote to memory of 3780 4508 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f74bd8aec3f00c549c97c61e57e0a5dd_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f74bd8aec3f00c549c97c61e57e0a5dd_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 5404⤵
- Program crash
PID:5080
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3780 -ip 37801⤵PID:5060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
106KB
MD5dcd2cafa72c9d5bd898b636a18133d3c
SHA1b55e85453de9254cbf4c21c0de92d82c6deefccb
SHA256936b14fbbf629fcf92ac06673d974de2b2a44a109953e6664e1c36a4e5c9d27c
SHA51259e475f668015b3a6372d79ea6459b21ae591d73305b7696ef139fe0e716f1038595ea5df079e1850535e6358aef4d8e92bdee68ffd07b44471bc7133041952c