Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 07:51
Static task
static1
Behavioral task
behavioral1
Sample
19589a971eb420559794afd71081d286_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
19589a971eb420559794afd71081d286_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
19589a971eb420559794afd71081d286_JaffaCakes118.dll
-
Size
140KB
-
MD5
19589a971eb420559794afd71081d286
-
SHA1
71cbacfb391011112b322d2ff2ed583786dd2752
-
SHA256
4b983caf22b55ad0ff2b73a2d9427eedae29e418a9141d091464e7a4f799f3d3
-
SHA512
c4948631d01743602c99dee4c778fd644b68904875460292d929ed0f95b74e0fbb1f40e9c2bf506edc5eb4f2f7bfd328357f11b5c486cb457f9fa00923323fa5
-
SSDEEP
3072:dNEqkap78EyjCY2Dy8pRuuOKi1xywc/h:HEqkE4x0yeupTnnc/h
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32Srv.exepid process 3100 rundll32Srv.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32Srv.exe upx behavioral2/memory/3100-4-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/3100-7-0x0000000000400000-0x0000000000441000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3668 3100 WerFault.exe rundll32Srv.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3136 wrote to memory of 3172 3136 rundll32.exe rundll32.exe PID 3136 wrote to memory of 3172 3136 rundll32.exe rundll32.exe PID 3136 wrote to memory of 3172 3136 rundll32.exe rundll32.exe PID 3172 wrote to memory of 3100 3172 rundll32.exe rundll32Srv.exe PID 3172 wrote to memory of 3100 3172 rundll32.exe rundll32Srv.exe PID 3172 wrote to memory of 3100 3172 rundll32.exe rundll32Srv.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\19589a971eb420559794afd71081d286_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\19589a971eb420559794afd71081d286_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 2684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3100 -ip 31001⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\rundll32Srv.exeFilesize
94KB
MD5f6736faa3126f64ed4a7109e40c47806
SHA10d50917f44d6e173bac24916c95343616dcbf18c
SHA256bc0cb854888c155cbfed860a6546bea3c82db643df30437fe14d91194939a874
SHA51229cc26cd4df360252917a5d913e5e4776b6d05061b464f09dbb33918491affdc15cac9e142a9227a48f27d26db1f8ee85bd3d417365d6fef9b2fd380e090efe5
-
memory/3100-4-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3100-6-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/3100-7-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3172-3-0x000000006D040000-0x000000006D063000-memory.dmpFilesize
140KB