Analysis
-
max time kernel
51s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 06:53
Static task
static1
Behavioral task
behavioral1
Sample
192fb6e2bdcde0bda543280379c34c65_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
192fb6e2bdcde0bda543280379c34c65_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
192fb6e2bdcde0bda543280379c34c65_JaffaCakes118.dll
-
Size
152KB
-
MD5
192fb6e2bdcde0bda543280379c34c65
-
SHA1
610bbb99cfb943596282f8d036474697249a8fcb
-
SHA256
d7b13f9abe0996005793e4d3dde1a0405f0b751bb308a1a0d4cb6f93e530d8b7
-
SHA512
8e382eb7b836c61778417ca81bea5fc4ccd67f788e2e1927e46c6a6f70fdfc66babf3b037e1612586bfcb72643761695f33546f7ef8267bbfb8979d3530cbffc
-
SSDEEP
3072:lgQ0gIxmmDDpx1QPUhUapVsJfNsyU39nWshV:CgIYnUhbpGTsz35VD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 2072 rundll32mgr.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32mgr.exe upx behavioral2/memory/2072-4-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2072-7-0x0000000000400000-0x0000000000446000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4232 4564 WerFault.exe rundll32.exe 4840 2072 WerFault.exe rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3156 wrote to memory of 4564 3156 rundll32.exe rundll32.exe PID 3156 wrote to memory of 4564 3156 rundll32.exe rundll32.exe PID 3156 wrote to memory of 4564 3156 rundll32.exe rundll32.exe PID 4564 wrote to memory of 2072 4564 rundll32.exe rundll32mgr.exe PID 4564 wrote to memory of 2072 4564 rundll32.exe rundll32mgr.exe PID 4564 wrote to memory of 2072 4564 rundll32.exe rundll32mgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\192fb6e2bdcde0bda543280379c34c65_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\192fb6e2bdcde0bda543280379c34c65_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 2684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2072 -ip 20721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4564 -ip 45641⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
73KB
MD523842802587d1c2570eec734a06cc188
SHA1aecd57ced1f79fa0dcc93076b3254216d08b907f
SHA256aa94699c1420a0a2c0d07a936fe2acc26cdbb410f7bc47552110504e91b4a8d8
SHA51280ebdf18eff5b25e4ce2dccb44d5b55a9e377b5b339da3a253679d0a4eb0e6fb57595aabb979014aa4e3d59f8622d4660df763d79d8a813365eff0538c05b1c7
-
memory/2072-4-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2072-6-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/2072-7-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4564-1-0x000000006D430000-0x000000006D458000-memory.dmpFilesize
160KB
-
memory/4564-8-0x000000006D430000-0x000000006D458000-memory.dmpFilesize
160KB