02d2d004f30e2022c652cb1e92b92ed5326cb5d0c49a3983bdcb480ae6012fe9

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b80f7658ffb704350faf5060b1d92d66.dll
Size

424KB
MD5

b80f7658ffb704350faf5060b1d92d66
SHA1

2ad9d0776d0e38c306af1d40660045b1a98a8f04
SHA256

02d2d004f30e2022c652cb1e92b92ed5326cb5d0c49a3983bdcb480ae6012fe9
SHA512

61d95373a6d46c36e35b4f32d412440f54c9eecbaf04d596cd3da9b9144b0470588c241199ad2e08bd423d955e0a68ff7ee113bfcce9d82f759dc6dcc1709d1d
SSDEEP

6144:vl9XgnzxOP/sFR2h+9q1kih6ibUxrp3/vIyR5fih8JRmlM+9ZldLIsIyNk2uu6:vlCzcMg+9YkDiQ3/Q8Jud9f9jhuT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	rundll32mgr.exe

Loads dropped DLL 11 IoCs

pid	Process
2280	rundll32.exe
2280	rundll32.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2012	2280	WerFault.exe	30
2700	2740	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2280	2636	rundll32.exe	30
PID 2636 wrote to memory of 2280	2636	rundll32.exe	30
PID 2636 wrote to memory of 2280	2636	rundll32.exe	30
PID 2636 wrote to memory of 2280	2636	rundll32.exe	30
PID 2636 wrote to memory of 2280	2636	rundll32.exe	30
PID 2636 wrote to memory of 2280	2636	rundll32.exe	30
PID 2636 wrote to memory of 2280	2636	rundll32.exe	30
PID 2280 wrote to memory of 2740	2280	rundll32.exe	31
PID 2280 wrote to memory of 2740	2280	rundll32.exe	31
PID 2280 wrote to memory of 2740	2280	rundll32.exe	31
PID 2280 wrote to memory of 2740	2280	rundll32.exe	31
PID 2280 wrote to memory of 2012	2280	rundll32.exe	33
PID 2280 wrote to memory of 2012	2280	rundll32.exe	33
PID 2280 wrote to memory of 2012	2280	rundll32.exe	33
PID 2280 wrote to memory of 2012	2280	rundll32.exe	33
PID 2740 wrote to memory of 2700	2740	rundll32mgr.exe	32
PID 2740 wrote to memory of 2700	2740	rundll32mgr.exe	32
PID 2740 wrote to memory of 2700	2740	rundll32mgr.exe	32
PID 2740 wrote to memory of 2700	2740	rundll32mgr.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b80f7658ffb704350faf5060b1d92d66.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b80f7658ffb704350faf5060b1d92d66.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 156
      4⤵
      Loads dropped DLL
      Program crash
      PID:2700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 224
    3⤵
    - Program crash
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
187KB

MD5
27fdabf7c440551ce0d41832bb40e0e4

SHA1
c3a6f07789562c1edbea44197a3f6cb3f6d345c9

SHA256
52f26137f9a813c374e5bca7ae97f2f31c1f8084276944fdc5e97df7a69a86c4

SHA512
4c13cfe5ed6741933d83ba0af39bd9cc544033328fe015b5ec1f1eff358e54764814f60085c0b4528034e2e8ab2f94694e186b27d9e66e42e01391ba20f38df5

Download Submit
memory/2280-0-0x0000000074A20000-0x0000000074A8A000-memory.dmp

Filesize
424KB

Download
memory/2280-4-0x00000000749B0000-0x0000000074A1A000-memory.dmp

Filesize
424KB

Download
memory/2280-2-0x00000000749B0000-0x0000000074A1A000-memory.dmp

Filesize
424KB

Download
memory/2280-1-0x0000000074A20000-0x0000000074A8A000-memory.dmp

Filesize
424KB

Download
memory/2280-12-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2280-24-0x00000000749B0000-0x0000000074A1A000-memory.dmp

Filesize
424KB

Download
memory/2740-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download