Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 12:49
Behavioral task
behavioral1
Sample
1b5ca0a2cfed0da837df1277a63d758f_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
1b5ca0a2cfed0da837df1277a63d758f_JaffaCakes118.dll
-
Size
1.4MB
-
MD5
1b5ca0a2cfed0da837df1277a63d758f
-
SHA1
981db769c134265112dda0cf442d00abf2269f8b
-
SHA256
dc8638e20db945a7b88d9c618ee2a7053ba95f2c5f40259cb2c299c4564529e7
-
SHA512
b501983f7574ef85ee3be8b16fb60b1ded40267bbb511e7cd2c557057f7789ce46a460462149949f907239d97c033073354f063e67b4d54cb9a5dfadbb45484b
-
SSDEEP
24576:BD44VC2/ajaqI7Y/icfB+dfw4oSAmEi9lgOpoqNK4pe60xlMKx1rrmsnS0uLxSU0:Z44/kax0BfOllXLlgoK4ped3dx1vmsn9
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/2964-0-0x0000000010000000-0x00000000102F9000-memory.dmp themida behavioral1/memory/2964-1-0x0000000010000000-0x00000000102F9000-memory.dmp themida behavioral1/memory/2964-10-0x0000000010000000-0x00000000102F9000-memory.dmp themida behavioral1/memory/2964-2-0x0000000010000000-0x00000000102F9000-memory.dmp themida -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3004 2964 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 2964 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1888 wrote to memory of 2964 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 2964 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 2964 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 2964 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 2964 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 2964 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 2964 1888 rundll32.exe rundll32.exe PID 2964 wrote to memory of 3004 2964 rundll32.exe WerFault.exe PID 2964 wrote to memory of 3004 2964 rundll32.exe WerFault.exe PID 2964 wrote to memory of 3004 2964 rundll32.exe WerFault.exe PID 2964 wrote to memory of 3004 2964 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1b5ca0a2cfed0da837df1277a63d758f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1b5ca0a2cfed0da837df1277a63d758f_JaffaCakes118.dll,#12⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 4323⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2964-0-0x0000000010000000-0x00000000102F9000-memory.dmpFilesize
3.0MB
-
memory/2964-1-0x0000000010000000-0x00000000102F9000-memory.dmpFilesize
3.0MB
-
memory/2964-4-0x0000000000320000-0x0000000000413000-memory.dmpFilesize
972KB
-
memory/2964-3-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2964-10-0x0000000010000000-0x00000000102F9000-memory.dmpFilesize
3.0MB
-
memory/2964-9-0x0000000010001000-0x0000000010025000-memory.dmpFilesize
144KB
-
memory/2964-8-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/2964-7-0x0000000001F90000-0x0000000001F91000-memory.dmpFilesize
4KB
-
memory/2964-6-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/2964-5-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/2964-2-0x0000000010000000-0x00000000102F9000-memory.dmpFilesize
3.0MB
-
memory/2964-11-0x0000000000950000-0x000000000095E000-memory.dmpFilesize
56KB