Analysis

  • max time kernel
    93s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 07:48

General

  • Target

    fab0884d2195505ff7f09bd8d3722950_JaffaCakes118.dll

  • Size

    711KB

  • MD5

    fab0884d2195505ff7f09bd8d3722950

  • SHA1

    f8d887f4c6a26d149b5a24f4b99cffa0da21b9e9

  • SHA256

    d9298f07aac5622c157269d51694152eb01f4557d11629dcb0e694f38be6e4db

  • SHA512

    49d702346b2ecd166096e7ad786e429c8030518b865d1e1889c24e2af463321e0f0caee021a949dc135872617644909c47e3fb66adf6b16b50612c2c8127c97a

  • SSDEEP

    12288:hNIyZN4+Wv4PLq6Okrh9ZN/hs9DsdBPDn/WOGR:h9TPmirh9Zdh6m/WOI

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fab0884d2195505ff7f09bd8d3722950_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fab0884d2195505ff7f09bd8d3722950_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3740
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 268
          4⤵
          • Program crash
          PID:232
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 608
        3⤵
        • Program crash
        PID:2708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2088 -ip 2088
    1⤵
      PID:4304
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3740 -ip 3740
      1⤵
        PID:2540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        125KB

        MD5

        8765eff9ced671b9fba53a55aacba014

        SHA1

        e15c775cc7004a736d6fc7aca09c5d80cf7ff3de

        SHA256

        18157bf099f2f7861621864b7d63cc92077f5c20e9637ccf50f1821c37fa482d

        SHA512

        9f46bf25cabdfbfca6805d2c22369f949a6048c833d037d413dece708cd12bab32e17a21d875437c488ab9e9b5487a1f3865d4bb1ad8cc2dad94d211c18590f4

      • memory/2088-1-0x0000000010000000-0x00000000100B8000-memory.dmp

        Filesize

        736KB

      • memory/2088-8-0x0000000010000000-0x00000000100B8000-memory.dmp

        Filesize

        736KB

      • memory/3740-4-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

      • memory/3740-6-0x00000000005D0000-0x00000000005D1000-memory.dmp

        Filesize

        4KB

      • memory/3740-7-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB