7aadcea4b8bf52b14a027ea1cb9149bd85afefff1ae8a3faba8ef891f11daa9f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_008855f610d146db886f43db80dddd63.dll
Size

269KB
MD5

008855f610d146db886f43db80dddd63
SHA1

bc729c995c23a1867b47a737298c530325521075
SHA256

7aadcea4b8bf52b14a027ea1cb9149bd85afefff1ae8a3faba8ef891f11daa9f
SHA512

f73f0a34610a1d73e11e88936302f672812c5e60183cbb84660e26942f87b9c30c6d684a8a9b4db909b9ccf8d360278716d524c7a910c61cc982deb0b9bcda89
SSDEEP

3072:+CuuNCRs/Pj03pJEEC9ti9pocimFFVW6E1fZim4v5TRRJBYeBTg4vRPW9vc/Bm60:+CIGPj038tAgFMldWNX+PD3o/9aM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2652	rundll32mgr.exe

Loads dropped DLL 9 IoCs

pid	Process
2716	rundll32.exe
2716	rundll32.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2124	2652	WerFault.exe	31
2564	2716	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2716	2824	rundll32.exe	30
PID 2824 wrote to memory of 2716	2824	rundll32.exe	30
PID 2824 wrote to memory of 2716	2824	rundll32.exe	30
PID 2824 wrote to memory of 2716	2824	rundll32.exe	30
PID 2824 wrote to memory of 2716	2824	rundll32.exe	30
PID 2824 wrote to memory of 2716	2824	rundll32.exe	30
PID 2824 wrote to memory of 2716	2824	rundll32.exe	30
PID 2716 wrote to memory of 2652	2716	rundll32.exe	31
PID 2716 wrote to memory of 2652	2716	rundll32.exe	31
PID 2716 wrote to memory of 2652	2716	rundll32.exe	31
PID 2716 wrote to memory of 2652	2716	rundll32.exe	31
PID 2652 wrote to memory of 2124	2652	rundll32mgr.exe	33
PID 2652 wrote to memory of 2124	2652	rundll32mgr.exe	33
PID 2652 wrote to memory of 2124	2652	rundll32mgr.exe	33
PID 2652 wrote to memory of 2124	2652	rundll32mgr.exe	33
PID 2716 wrote to memory of 2564	2716	rundll32.exe	32
PID 2716 wrote to memory of 2564	2716	rundll32.exe	32
PID 2716 wrote to memory of 2564	2716	rundll32.exe	32
PID 2716 wrote to memory of 2564	2716	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_008855f610d146db886f43db80dddd63.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_008855f610d146db886f43db80dddd63.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      PID:2124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 224
    3⤵
    - Program crash
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\rundll32mgr.exe

Filesize
103KB

MD5
41c35c864ab7a4021ed987e25836ca25

SHA1
a30684755bef880a031637023156470b6ab45f44

SHA256
bf4fd6e948069e4db9784519dfff636e522436fc32f8eb15bb4287f8cd6c2127

SHA512
5455f2fe424e3671dec8594a9c86a919455cbad3665e418c885124f6c935e4c753de78677bc5e62389c35a9b372feeb6fcc33a19e8d36ae5f8f020e56b286962

Download Submit
memory/2652-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-8-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2716-10-0x00000000001E0000-0x000000000021C000-memory.dmp

Filesize
240KB

Download
memory/2716-9-0x00000000001E0000-0x000000000021C000-memory.dmp

Filesize
240KB

Download