Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2025 07:40
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4c9a1d8f0b983034f302f2622795fa0d.dll
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_4c9a1d8f0b983034f302f2622795fa0d.dll
-
Size
156KB
-
MD5
4c9a1d8f0b983034f302f2622795fa0d
-
SHA1
a88c4ae6ec6f29aa6a3bf8723c2deffdb8fbc545
-
SHA256
e8399a473af5316fbbbafb2b12015562fe73f990596850786d3e5d1a14358fba
-
SHA512
cfecf60fceef93d7e410da43537c8e1f8a9cec57a2db6a10ff9e0a38ff8f48e2d53713aedf9fe00aa2dce3305fce79f8c47730d850621848175a157313c69963
-
SSDEEP
3072:G61Ye3TaEu2CoCcn3zO7A4D8XlizSxNP8OZfitqTPwZb:bTa12CoCckAe81gSxNPBfvP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3808 rundll32Srv.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
resource yara_rule behavioral2/files/0x000a000000023bef-3.dat upx behavioral2/memory/3808-4-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/3808-7-0x0000000000400000-0x0000000000441000-memory.dmp upx -
Program crash 2 IoCs
pid pid_target Process procid_target 4496 3808 WerFault.exe 84 1008 1480 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32Srv.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1360 wrote to memory of 1480 1360 rundll32.exe 83 PID 1360 wrote to memory of 1480 1360 rundll32.exe 83 PID 1360 wrote to memory of 1480 1360 rundll32.exe 83 PID 1480 wrote to memory of 3808 1480 rundll32.exe 84 PID 1480 wrote to memory of 3808 1480 rundll32.exe 84 PID 1480 wrote to memory of 3808 1480 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c9a1d8f0b983034f302f2622795fa0d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c9a1d8f0b983034f302f2622795fa0d.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 2684⤵
- Program crash
PID:4496
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 6123⤵
- Program crash
PID:1008
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3808 -ip 38081⤵PID:4552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1480 -ip 14801⤵PID:2316
Network
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request134.71.91.104.in-addr.arpaIN PTRResponse134.71.91.104.in-addr.arpaIN PTRa104-91-71-134deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
134.71.91.104.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5f6736faa3126f64ed4a7109e40c47806
SHA10d50917f44d6e173bac24916c95343616dcbf18c
SHA256bc0cb854888c155cbfed860a6546bea3c82db643df30437fe14d91194939a874
SHA51229cc26cd4df360252917a5d913e5e4776b6d05061b464f09dbb33918491affdc15cac9e142a9227a48f27d26db1f8ee85bd3d417365d6fef9b2fd380e090efe5