Overview

overview

10

Static

static

3

JaffaCakes...ff.dll

windows7-x64

10

JaffaCakes...ff.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 09:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_2009450aa44ee1c9d061a26f564862ff.dll

  • Size

    180KB

  • MD5

    2009450aa44ee1c9d061a26f564862ff

  • SHA1

    7120156b1917d221baa4e45d4f19d8cbaf7a523d

  • SHA256

    56def55f3a1bdcd719dbaa639e93ef42b730e6b8cf7fb44a465279da7b83ccde

  • SHA512

    50ac97a73b534b4cf0e7c243797cdb7bcff408f62160df9a7952e205bcf3a7cb800aa3ef35423242a37465418f2aa143b4c757354a04247b48700f3fc4f14b1c

  • SSDEEP

    3072:vNEqkap78EqMJxy9NG30CejqjHI4f82PDZTDjrzjRBcNhP:1EqkE4hMue9VfDZrrB+LP

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2009450aa44ee1c9d061a26f564862ff.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2009450aa44ee1c9d061a26f564862ff.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4944
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 264
          4⤵
          • Program crash
          PID:3912
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4944 -ip 4944
    1⤵
      PID:4228

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      7.98.51.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      7.98.51.23.in-addr.arpa
      IN PTR
      Response
      7.98.51.23.in-addr.arpa
      IN PTR
      a23-51-98-7deploystaticakamaitechnologiescom
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      7.98.51.23.in-addr.arpa
      dns
      69 B
       131 B
       1
      1

      DNS Request

      7.98.51.23.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\rundll32mgr.exe
      Filesize

      133KB

      MD5

      d83374187a9308d90dd5659e95f01373

      SHA1

      796799bc4e5be46b639f1e6979b554c1efd8fa00

      SHA256

      d2c95a02ea13d4fa3625276945fe7fe8e799cff15acec4104c17fd4fd4ac0d2c

      SHA512

      286477d60e1ebfb0e6b018aaccd891259fc12c32200c8a7f1f88660f5b711bd8163d2a95bb41eb02f429b990d6b174cda874cbe675b921ffaeb29da0870759e5

      Download Submit

    • memory/4852-1-0x000000006D040000-0x000000006D06D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4944-5-0x0000000000400000-0x0000000000463000-memory.dmp

      Filesize

      396KB

      Download

    • memory/4944-6-0x0000000001F30000-0x0000000001F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4944-7-0x0000000000400000-0x0000000000463000-memory.dmp

      Filesize

      396KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.