Analysis
-
max time kernel
132s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 17:34
Static task
static1
Behavioral task
behavioral1
Sample
16e29d202656377016b1cc688f14d3ba_JaffaCakes118.dll
Resource
win7-20240220-en
General
-
Target
16e29d202656377016b1cc688f14d3ba_JaffaCakes118.dll
-
Size
192KB
-
MD5
16e29d202656377016b1cc688f14d3ba
-
SHA1
c227ffe8809232faea08cc48a8bf65620c34690c
-
SHA256
1399efbf46edf9ff967b9071813733787b96f45a8606a3dd282fd5e73a074f2f
-
SHA512
ab228a80e1687c9da7a42290f8788197ce491a19224ef2c22c6973b8eeee24c0e0168d6a3342b3b16888c97660ebcdfeba278f03f7e8c098a9523e3ff3ec1664
-
SSDEEP
3072:texY2nMibVoSOyyzWBYu+4HJ300Odil9d0C8ZOvZfa/+8B:t+n6SOyyfb23OwdHYORf6+8B
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 3008 rundll32mgr.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32mgr.exepid process 3008 rundll32mgr.exe -
Processes:
resource yara_rule behavioral2/memory/3008-6-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4616 3008 WerFault.exe rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1772 wrote to memory of 1876 1772 rundll32.exe rundll32.exe PID 1772 wrote to memory of 1876 1772 rundll32.exe rundll32.exe PID 1772 wrote to memory of 1876 1772 rundll32.exe rundll32.exe PID 1876 wrote to memory of 3008 1876 rundll32.exe rundll32mgr.exe PID 1876 wrote to memory of 3008 1876 rundll32.exe rundll32mgr.exe PID 1876 wrote to memory of 3008 1876 rundll32.exe rundll32mgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16e29d202656377016b1cc688f14d3ba_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16e29d202656377016b1cc688f14d3ba_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 5324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3008 -ip 30081⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~TM3354.tmpFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
106KB
MD5dcd2cafa72c9d5bd898b636a18133d3c
SHA1b55e85453de9254cbf4c21c0de92d82c6deefccb
SHA256936b14fbbf629fcf92ac06673d974de2b2a44a109953e6664e1c36a4e5c9d27c
SHA51259e475f668015b3a6372d79ea6459b21ae591d73305b7696ef139fe0e716f1038595ea5df079e1850535e6358aef4d8e92bdee68ffd07b44471bc7133041952c
-
memory/1876-0-0x0000000075230000-0x0000000075265000-memory.dmpFilesize
212KB
-
memory/3008-6-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3008-5-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB