Analysis
-
max time kernel
93s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 07:48
Static task
static1
Behavioral task
behavioral1
Sample
fab0884d2195505ff7f09bd8d3722950_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
fab0884d2195505ff7f09bd8d3722950_JaffaCakes118.dll
-
Size
711KB
-
MD5
fab0884d2195505ff7f09bd8d3722950
-
SHA1
f8d887f4c6a26d149b5a24f4b99cffa0da21b9e9
-
SHA256
d9298f07aac5622c157269d51694152eb01f4557d11629dcb0e694f38be6e4db
-
SHA512
49d702346b2ecd166096e7ad786e429c8030518b865d1e1889c24e2af463321e0f0caee021a949dc135872617644909c47e3fb66adf6b16b50612c2c8127c97a
-
SSDEEP
12288:hNIyZN4+Wv4PLq6Okrh9ZN/hs9DsdBPDn/WOGR:h9TPmirh9Zdh6m/WOI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3740 rundll32mgr.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/files/0x0009000000023c7c-3.dat upx behavioral2/memory/3740-4-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3740-7-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Program crash 2 IoCs
pid pid_target Process procid_target 2708 2088 WerFault.exe 83 232 3740 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2088 2848 rundll32.exe 83 PID 2848 wrote to memory of 2088 2848 rundll32.exe 83 PID 2848 wrote to memory of 2088 2848 rundll32.exe 83 PID 2088 wrote to memory of 3740 2088 rundll32.exe 84 PID 2088 wrote to memory of 3740 2088 rundll32.exe 84 PID 2088 wrote to memory of 3740 2088 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fab0884d2195505ff7f09bd8d3722950_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fab0884d2195505ff7f09bd8d3722950_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 2684⤵
- Program crash
PID:232
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 6083⤵
- Program crash
PID:2708
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2088 -ip 20881⤵PID:4304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3740 -ip 37401⤵PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD58765eff9ced671b9fba53a55aacba014
SHA1e15c775cc7004a736d6fc7aca09c5d80cf7ff3de
SHA25618157bf099f2f7861621864b7d63cc92077f5c20e9637ccf50f1821c37fa482d
SHA5129f46bf25cabdfbfca6805d2c22369f949a6048c833d037d413dece708cd12bab32e17a21d875437c488ab9e9b5487a1f3865d4bb1ad8cc2dad94d211c18590f4