Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 02:18

General

  • Target

    f9b7187292154345167b042c50421b71_JaffaCakes118.dll

  • Size

    240KB

  • MD5

    f9b7187292154345167b042c50421b71

  • SHA1

    1d154421fdf341ef5390c160f838252b3bd00fa7

  • SHA256

    7e616f2b9f07135ad0324568a351e31e6e473095c2bbe245dbf01e416c6280cb

  • SHA512

    e14c0dc9288abd2c47a2ea32b0ba5bc836378f9d3721e7dd23c4e1a66baa370871c03a10a1f144c728543de65047f6ba8d00185b85ea6272bcca558341d0d6b1

  • SSDEEP

    3072:dNzt20uHs4Lhun3AZi3SnTyS72V7jzzCqHwJHoc8WqR08m1osj81MOaDv8tdUJn7:/zFn4ut3Oy+2xjXfI8wXD8MDvfqlS

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9b7187292154345167b042c50421b71_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\f9b7187292154345167b042c50421b71_JaffaCakes118.dll
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 92
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:3000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\regsvr32mgr.exe

    Filesize

    59KB

    MD5

    aea1462e5f1f31dd74df7833b5a07305

    SHA1

    cea53b9b3311f1003df5d9266f9e3fbd5c971f28

    SHA256

    62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

    SHA512

    776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

  • memory/2296-1-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB