Analysis
-
max time kernel
128s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 15:47
Static task
static1
Behavioral task
behavioral1
Sample
16942347533e0e7872b64d70e847d040_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
16942347533e0e7872b64d70e847d040_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
16942347533e0e7872b64d70e847d040_JaffaCakes118.dll
-
Size
152KB
-
MD5
16942347533e0e7872b64d70e847d040
-
SHA1
0e136c8158ed5b5e766b971570ba4c516f559671
-
SHA256
a816ca11726dd48e3d822a28917ded7947a1724c9947d12b945cbebd6b220da6
-
SHA512
4d8631a6c37ce014c8947c0d1e493fd2e080afa8a3d686dd53beb0dd567a38fc5742c2ac18156a519ce25ca45be6099562a0a58d4f9cf405d296b1111904a975
-
SSDEEP
3072:nD09MaWLOdfPQdYeW2y6FilwffjVA0YaDQ0gl2aHhmhC:RaqOdHQ9vnjj1EmY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 4384 rundll32mgr.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32mgr.exe upx behavioral2/memory/4384-5-0x0000000000400000-0x000000000046E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3084 2368 WerFault.exe rundll32.exe 3904 4384 WerFault.exe rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4540 wrote to memory of 2368 4540 rundll32.exe rundll32.exe PID 4540 wrote to memory of 2368 4540 rundll32.exe rundll32.exe PID 4540 wrote to memory of 2368 4540 rundll32.exe rundll32.exe PID 2368 wrote to memory of 4384 2368 rundll32.exe rundll32mgr.exe PID 2368 wrote to memory of 4384 2368 rundll32.exe rundll32mgr.exe PID 2368 wrote to memory of 4384 2368 rundll32.exe rundll32mgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16942347533e0e7872b64d70e847d040_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16942347533e0e7872b64d70e847d040_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 2644⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2368 -ip 23681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4384 -ip 43841⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
105KB
MD59b49fec7e03c33277f188a2819b8d726
SHA1a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f
SHA2569d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad
SHA512049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d
-
memory/2368-4-0x000000006D240000-0x000000006D266000-memory.dmpFilesize
152KB
-
memory/4384-6-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/4384-5-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB