Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 06:48
Static task
static1
Behavioral task
behavioral1
Sample
1e5cd86251c2c61ee1cf479963b8acb8_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
1e5cd86251c2c61ee1cf479963b8acb8_JaffaCakes118.dll
-
Size
247KB
-
MD5
1e5cd86251c2c61ee1cf479963b8acb8
-
SHA1
8962fa64240eaf4705766a55dd2a775993daf268
-
SHA256
5ec9b31b14d03a3997e1533ccaf5d0be69155d7fa7d3035ffe7aeae3553e93f0
-
SHA512
60e96b374238a81c9dac7c06850fb176faf58963825079b01a235880e7132a3b8499232cce77efe9ac2ff6208a05d63e449a0912c2f7a1bdbd11619020ca6953
-
SSDEEP
6144:CvCpkQAN1ZZd8SnRK5OK42YXBiiRX7MSkECHMjC3llvc:rpwNPZd8SnMwvJRrqECHt3c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 4608 rundll32mgr.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32mgr.exepid process 4608 rundll32mgr.exe -
Processes:
resource yara_rule behavioral2/memory/4608-6-0x0000000000400000-0x0000000000451000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2508 912 WerFault.exe rundll32.exe 3696 4608 WerFault.exe rundll32mgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4904 wrote to memory of 912 4904 rundll32.exe rundll32.exe PID 4904 wrote to memory of 912 4904 rundll32.exe rundll32.exe PID 4904 wrote to memory of 912 4904 rundll32.exe rundll32.exe PID 912 wrote to memory of 4608 912 rundll32.exe rundll32mgr.exe PID 912 wrote to memory of 4608 912 rundll32.exe rundll32mgr.exe PID 912 wrote to memory of 4608 912 rundll32.exe rundll32mgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e5cd86251c2c61ee1cf479963b8acb8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e5cd86251c2c61ee1cf479963b8acb8_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 5284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 6403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 912 -ip 9121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4608 -ip 46081⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~TM442D.tmpFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
144KB
MD5609c9eadac4c1cc48b5f89be6c36e276
SHA1f047b565fdb73d5b75ffaed7b2faa335e82b3514
SHA256e982967b3a8613149cd29d659a4b4aa6241ef8e4f124458785220e76e8b18325
SHA512246dab455d7b7661126e79bb9b1b2aee2fee26790b8fde0779d529cfceb295b9df2fb5aca2da1ab3d52f22b4157a46ea8b164e7aa02e842aca2cd27076d85fb5
-
memory/912-0-0x0000000060510000-0x0000000060553000-memory.dmpFilesize
268KB
-
memory/912-10-0x0000000060510000-0x0000000060553000-memory.dmpFilesize
268KB
-
memory/4608-6-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB