Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 07:40

General

  • Target

    JaffaCakes118_4c9a1d8f0b983034f302f2622795fa0d.dll

  • Size

    156KB

  • MD5

    4c9a1d8f0b983034f302f2622795fa0d

  • SHA1

    a88c4ae6ec6f29aa6a3bf8723c2deffdb8fbc545

  • SHA256

    e8399a473af5316fbbbafb2b12015562fe73f990596850786d3e5d1a14358fba

  • SHA512

    cfecf60fceef93d7e410da43537c8e1f8a9cec57a2db6a10ff9e0a38ff8f48e2d53713aedf9fe00aa2dce3305fce79f8c47730d850621848175a157313c69963

  • SSDEEP

    3072:G61Ye3TaEu2CoCcn3zO7A4D8XlizSxNP8OZfitqTPwZb:bTa12CoCckAe81gSxNPBfvP

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c9a1d8f0b983034f302f2622795fa0d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c9a1d8f0b983034f302f2622795fa0d.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 268
          4⤵
          • Program crash
          PID:4496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 612
        3⤵
        • Program crash
        PID:1008
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3808 -ip 3808
    1⤵
      PID:4552
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1480 -ip 1480
      1⤵
        PID:2316

      Network

      • flag-us
        DNS
        136.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        136.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.150.49.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.150.49.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        217.106.137.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.106.137.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        197.87.175.4.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        197.87.175.4.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        134.71.91.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        134.71.91.104.in-addr.arpa
        IN PTR
        Response
        134.71.91.104.in-addr.arpa
        IN PTR
        a104-91-71-134deploystaticakamaitechnologiescom
      • flag-us
        DNS
        14.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.227.111.52.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        136.32.126.40.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        136.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        241.150.49.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        241.150.49.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        217.106.137.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        217.106.137.52.in-addr.arpa

      • 8.8.8.8:53
        197.87.175.4.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        197.87.175.4.in-addr.arpa

      • 8.8.8.8:53
        198.187.3.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        198.187.3.20.in-addr.arpa

      • 8.8.8.8:53
        134.71.91.104.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        134.71.91.104.in-addr.arpa

      • 8.8.8.8:53
        14.227.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        14.227.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\rundll32Srv.exe

        Filesize

        94KB

        MD5

        f6736faa3126f64ed4a7109e40c47806

        SHA1

        0d50917f44d6e173bac24916c95343616dcbf18c

        SHA256

        bc0cb854888c155cbfed860a6546bea3c82db643df30437fe14d91194939a874

        SHA512

        29cc26cd4df360252917a5d913e5e4776b6d05061b464f09dbb33918491affdc15cac9e142a9227a48f27d26db1f8ee85bd3d417365d6fef9b2fd380e090efe5

      • memory/1480-1-0x000000006D100000-0x000000006D127000-memory.dmp

        Filesize

        156KB

      • memory/1480-8-0x000000006D100000-0x000000006D127000-memory.dmp

        Filesize

        156KB

      • memory/3808-4-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      • memory/3808-6-0x0000000000670000-0x0000000000671000-memory.dmp

        Filesize

        4KB

      • memory/3808-7-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.