Overview

overview

10

Static

static

3

JaffaCakes...0c.dll

windows7-x64

10

JaffaCakes...0c.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    96s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_1a25098d80c3594fa287c0f63180cc0c.dll

  • Size

    828KB

  • MD5

    1a25098d80c3594fa287c0f63180cc0c

  • SHA1

    40dc0a14973413809f014dc566fa4b00aafcfe84

  • SHA256

    3f6b4d990e77dafb2d70968340b474341ae516859b5d1967d91dc8cc9132c14d

  • SHA512

    5252498c80d253c3e1e2e880d4a1958b69369491bfa8e8a38ae7c4dc428d7e5a238da648d3e513370a7079a2c897a65cd1597d45e9f14f4c2a43e8fd6effda85

  • SSDEEP

    24576:m5c8veLwmd4Fo+sjmPSSC92r30MilqTYL7GrV+QZpOoP:ma8veLwmaFo+sjmPSSC92r30MUqTYLCX

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a25098d80c3594fa287c0f63180cc0c.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a25098d80c3594fa287c0f63180cc0c.dll
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\SysWOW64\regsvr32Srv.exe
        C:\Windows\SysWOW64\regsvr32Srv.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:652
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 268
          4⤵
          • Program crash
          PID:1620
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 652 -ip 652
    1⤵
      PID:4952

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\regsvr32Srv.exe
      Filesize

      94KB

      MD5

      f6736faa3126f64ed4a7109e40c47806

      SHA1

      0d50917f44d6e173bac24916c95343616dcbf18c

      SHA256

      bc0cb854888c155cbfed860a6546bea3c82db643df30437fe14d91194939a874

      SHA512

      29cc26cd4df360252917a5d913e5e4776b6d05061b464f09dbb33918491affdc15cac9e142a9227a48f27d26db1f8ee85bd3d417365d6fef9b2fd380e090efe5

      Download Submit

    • memory/652-6-0x0000000000590000-0x0000000000591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/652-5-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

      Download

    • memory/652-7-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

      Download

    • memory/1536-0-0x0000000010000000-0x00000000100E6000-memory.dmp

      Filesize

      920KB

      Download