16d01f2db892caaa76723644d64768def9b4dc6520b4b4b5455544d4bc4a6409

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_47ded890f9937867aa31afe6bda2d66c.dll
Size

528KB
MD5

47ded890f9937867aa31afe6bda2d66c
SHA1

76a14b20830760c4caefafd69a907cefeb0093f9
SHA256

16d01f2db892caaa76723644d64768def9b4dc6520b4b4b5455544d4bc4a6409
SHA512

01c7e9a8051c9e32a836338ed5a8ec42f812541de756983c456fab2d53732cbf579fdd7d6d1245466e6b17610eef960ffeb94dc02651715e9dbace38a64c694a
SSDEEP

12288:gV7LMzw56Wx1Dk/qon6xyYhgPFaUVltwC1UOLMTQi:K1oC3yWgPFzMTQi

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3128	rundll32mgr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023bbe-3.dat	upx
behavioral2/memory/3128-5-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3128-7-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4004	3128	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 212	2500	rundll32.exe	83
PID 2500 wrote to memory of 212	2500	rundll32.exe	83
PID 2500 wrote to memory of 212	2500	rundll32.exe	83
PID 212 wrote to memory of 3128	212	rundll32.exe	84
PID 212 wrote to memory of 3128	212	rundll32.exe	84
PID 212 wrote to memory of 3128	212	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47ded890f9937867aa31afe6bda2d66c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47ded890f9937867aa31afe6bda2d66c.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 264
      4⤵
      Program crash
      PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3128 -ip 3128
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
133KB

MD5
5da46f63cf9852e3c7a756f51aa23eb4

SHA1
5475fd10272f2141edf7b4a0cfbd428526e47e94

SHA256
678e3295d29dfd132203021da7ce63b18eb301958d6848f5666ad388a0e2505f

SHA512
b30e1871428c184f1abfab2da1f6568b11f19eed8af8f4532ff1be6da951242e86d486f8fc16e5ec37e7064b106f4916a03e0067b3def55e260cc2cda9dd4da0

Download Submit
memory/212-0-0x0000000010000000-0x00000000100B7000-memory.dmp

Filesize
732KB

Download
memory/3128-6-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/3128-5-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3128-7-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download