c6fa8b093dbd07a71422c0d4036aed72fc4b6837a0907ee3760233daf5526342

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/03/2025, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_84ead162e877109574c931886f65c6e0.dll
Size

259KB
MD5

84ead162e877109574c931886f65c6e0
SHA1

7148c649612d1805b64a5b2a986d4577f0e94ddc
SHA256

c6fa8b093dbd07a71422c0d4036aed72fc4b6837a0907ee3760233daf5526342
SHA512

a5e28ce152baf50ec81b4c818af3cbef63a880ca34726f2d4b0923763a2b756504411ace51f7b69a0430cf08dc0fc39ba5cb6be3cf0b49e55c5296e721fa1b89
SSDEEP

3072:SCuuNCRs/Pj03pJEEC9ti9pocimFFVW6E1fZim4v5TRRJBYeBTg4vRPW9vc/Bm6E:SCIGPj038tAgFMldWNX+5VSf9v

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2232	rundll32mgr.exe

Loads dropped DLL 9 IoCs

pid	Process
2516	rundll32.exe
2516	rundll32.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2192	2516	WerFault.exe	30
2528	2232	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2516	2496	rundll32.exe	30
PID 2496 wrote to memory of 2516	2496	rundll32.exe	30
PID 2496 wrote to memory of 2516	2496	rundll32.exe	30
PID 2496 wrote to memory of 2516	2496	rundll32.exe	30
PID 2496 wrote to memory of 2516	2496	rundll32.exe	30
PID 2496 wrote to memory of 2516	2496	rundll32.exe	30
PID 2496 wrote to memory of 2516	2496	rundll32.exe	30
PID 2516 wrote to memory of 2232	2516	rundll32.exe	31
PID 2516 wrote to memory of 2232	2516	rundll32.exe	31
PID 2516 wrote to memory of 2232	2516	rundll32.exe	31
PID 2516 wrote to memory of 2232	2516	rundll32.exe	31
PID 2516 wrote to memory of 2192	2516	rundll32.exe	32
PID 2516 wrote to memory of 2192	2516	rundll32.exe	32
PID 2516 wrote to memory of 2192	2516	rundll32.exe	32
PID 2516 wrote to memory of 2192	2516	rundll32.exe	32
PID 2232 wrote to memory of 2528	2232	rundll32mgr.exe	33
PID 2232 wrote to memory of 2528	2232	rundll32mgr.exe	33
PID 2232 wrote to memory of 2528	2232	rundll32mgr.exe	33
PID 2232 wrote to memory of 2528	2232	rundll32mgr.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84ead162e877109574c931886f65c6e0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84ead162e877109574c931886f65c6e0.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      PID:2528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 224
    3⤵
    - Program crash
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\rundll32mgr.exe

Filesize
92KB

MD5
221e50dc3a4ab42db4cd73360aa99d41

SHA1
ef5857e1fcf962c9f7bbe17f8120b343ef797eb8

SHA256
a9e41334122fdce7384959bca1c33bfc8218d7538da8eeb11c2a53eae77fec08

SHA512
1ec8ee13e93e2b4b05fe93c510ccbd381867add5babe800a41f4f9528fbe517c0cbc2e66825d6bdbc70e21e118723b9b9420fe4a049f386ab5f548a97e9cdbaa

Download Submit
memory/2232-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2516-1-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/2516-4-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/2516-2-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/2516-11-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/2516-19-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download