94df4593588eff3b4084bae23675fc06523915be3600a5458f080dd5ab7697d3

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_78f59abb13c18b97df25064a7d7379b0.dll
Size

221KB
MD5

78f59abb13c18b97df25064a7d7379b0
SHA1

e85980d623212decac94efefecf9a10cdce3aae8
SHA256

94df4593588eff3b4084bae23675fc06523915be3600a5458f080dd5ab7697d3
SHA512

b47ae95fbdeda1aae59ce17e8980e41f2fb750f4fe150a7aecbc83258f7b23c9f3d22bc8b89e69fddb8e6b053ad40dbcc86d3ab61e788ec33d291dfc650144ad
SSDEEP

3072:Bevj25xBncg9i9ICBHDRNO+wGlSwxFxq0D1bdB1Fw43R3Ab+2vyXU:MvOxBcgQ9IC52+bFxrR9DqvyE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2116	rundll32mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	rundll32.exe
2524	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2116	rundll32mgr.exe

Suspicious behavior: MapViewOfSection 27 IoCs

pid	Process
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe
2116	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	rundll32mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2524	2516	rundll32.exe	31
PID 2516 wrote to memory of 2524	2516	rundll32.exe	31
PID 2516 wrote to memory of 2524	2516	rundll32.exe	31
PID 2516 wrote to memory of 2524	2516	rundll32.exe	31
PID 2516 wrote to memory of 2524	2516	rundll32.exe	31
PID 2516 wrote to memory of 2524	2516	rundll32.exe	31
PID 2516 wrote to memory of 2524	2516	rundll32.exe	31
PID 2524 wrote to memory of 2116	2524	rundll32.exe	32
PID 2524 wrote to memory of 2116	2524	rundll32.exe	32
PID 2524 wrote to memory of 2116	2524	rundll32.exe	32
PID 2524 wrote to memory of 2116	2524	rundll32.exe	32
PID 2116 wrote to memory of 384	2116	rundll32mgr.exe	3
PID 2116 wrote to memory of 384	2116	rundll32mgr.exe	3
PID 2116 wrote to memory of 384	2116	rundll32mgr.exe	3
PID 2116 wrote to memory of 384	2116	rundll32mgr.exe	3
PID 2116 wrote to memory of 384	2116	rundll32mgr.exe	3
PID 2116 wrote to memory of 384	2116	rundll32mgr.exe	3
PID 2116 wrote to memory of 384	2116	rundll32mgr.exe	3
PID 2116 wrote to memory of 392	2116	rundll32mgr.exe	4
PID 2116 wrote to memory of 392	2116	rundll32mgr.exe	4
PID 2116 wrote to memory of 392	2116	rundll32mgr.exe	4
PID 2116 wrote to memory of 392	2116	rundll32mgr.exe	4
PID 2116 wrote to memory of 392	2116	rundll32mgr.exe	4
PID 2116 wrote to memory of 392	2116	rundll32mgr.exe	4
PID 2116 wrote to memory of 392	2116	rundll32mgr.exe	4
PID 2116 wrote to memory of 432	2116	rundll32mgr.exe	5
PID 2116 wrote to memory of 432	2116	rundll32mgr.exe	5
PID 2116 wrote to memory of 432	2116	rundll32mgr.exe	5
PID 2116 wrote to memory of 432	2116	rundll32mgr.exe	5
PID 2116 wrote to memory of 432	2116	rundll32mgr.exe	5
PID 2116 wrote to memory of 432	2116	rundll32mgr.exe	5
PID 2116 wrote to memory of 432	2116	rundll32mgr.exe	5
PID 2116 wrote to memory of 480	2116	rundll32mgr.exe	6
PID 2116 wrote to memory of 480	2116	rundll32mgr.exe	6
PID 2116 wrote to memory of 480	2116	rundll32mgr.exe	6
PID 2116 wrote to memory of 480	2116	rundll32mgr.exe	6
PID 2116 wrote to memory of 480	2116	rundll32mgr.exe	6
PID 2116 wrote to memory of 480	2116	rundll32mgr.exe	6
PID 2116 wrote to memory of 480	2116	rundll32mgr.exe	6
PID 2116 wrote to memory of 488	2116	rundll32mgr.exe	7
PID 2116 wrote to memory of 488	2116	rundll32mgr.exe	7
PID 2116 wrote to memory of 488	2116	rundll32mgr.exe	7
PID 2116 wrote to memory of 488	2116	rundll32mgr.exe	7
PID 2116 wrote to memory of 488	2116	rundll32mgr.exe	7
PID 2116 wrote to memory of 488	2116	rundll32mgr.exe	7
PID 2116 wrote to memory of 488	2116	rundll32mgr.exe	7
PID 2116 wrote to memory of 496	2116	rundll32mgr.exe	8
PID 2116 wrote to memory of 496	2116	rundll32mgr.exe	8
PID 2116 wrote to memory of 496	2116	rundll32mgr.exe	8
PID 2116 wrote to memory of 496	2116	rundll32mgr.exe	8
PID 2116 wrote to memory of 496	2116	rundll32mgr.exe	8
PID 2116 wrote to memory of 496	2116	rundll32mgr.exe	8
PID 2116 wrote to memory of 496	2116	rundll32mgr.exe	8
PID 2116 wrote to memory of 588	2116	rundll32mgr.exe	9
PID 2116 wrote to memory of 588	2116	rundll32mgr.exe	9
PID 2116 wrote to memory of 588	2116	rundll32mgr.exe	9
PID 2116 wrote to memory of 588	2116	rundll32mgr.exe	9
PID 2116 wrote to memory of 588	2116	rundll32mgr.exe	9
PID 2116 wrote to memory of 588	2116	rundll32mgr.exe	9
PID 2116 wrote to memory of 588	2116	rundll32mgr.exe	9
PID 2116 wrote to memory of 668	2116	rundll32mgr.exe	10
PID 2116 wrote to memory of 668	2116	rundll32mgr.exe	10
PID 2116 wrote to memory of 668	2116	rundll32mgr.exe	10
PID 2116 wrote to memory of 668	2116	rundll32mgr.exe	10

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:588
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1956
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1412
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:668
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:736
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1044
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2324
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:956
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:108
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1068
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1076
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1160
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1204
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2312
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2336
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1124
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78f59abb13c18b97df25064a7d7379b0.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78f59abb13c18b97df25064a7d7379b0.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
119KB

MD5
78e3f033907ea994a9456f3f1c164b6c

SHA1
c106c05f7ffe122777639cfb771431e62d9c8e03

SHA256
4f398abd0091c32e100566ffa43db278c82965a71ee4878bd29cd6e104ab890d

SHA512
e8c4419d3f4ce4adbf8f48fd9d0dbca2f6d9696533e07fc3c3224f6e9ff91813ef20f0317f58ab010a1bb96d5445af5f952f8eb559be8aacf944679217b4a2b1

Download Submit
memory/2116-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-8-0x00000000753C0000-0x00000000753FC000-memory.dmp

Filesize
240KB

Download
memory/2524-9-0x0000000075380000-0x00000000753BC000-memory.dmp

Filesize
240KB

Download
memory/2524-15-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

Filesize
4KB

Download
memory/2524-16-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/2524-14-0x0000000077DBF000-0x0000000077DC0000-memory.dmp

Filesize
4KB

Download
memory/2524-13-0x0000000000180000-0x00000000001A9000-memory.dmp

Filesize
164KB

Download
memory/2524-12-0x00000000753E0000-0x000000007541C000-memory.dmp

Filesize
240KB

Download
memory/2524-11-0x00000000753C0000-0x00000000753FC000-memory.dmp

Filesize
240KB

Download
memory/2524-18-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/2524-17-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download