Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
31-03-2024 12:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
544f8dfee031d02135551937f709db68_JaffaCakes118.dll
Resource
win7-20240319-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
544f8dfee031d02135551937f709db68_JaffaCakes118.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
544f8dfee031d02135551937f709db68_JaffaCakes118.dll
-
Size
536KB
-
MD5
544f8dfee031d02135551937f709db68
-
SHA1
ed82e2e0bbd8a1efeb430dd625e120447bcf1a45
-
SHA256
78d584b482cc097815d1beae4043a6533192670bd5214f3e920907326fe64ae6
-
SHA512
03500354c8c3d4e4698c659f0a15db75d45586d9253ecd4ffcc0e4b53de11c97d3750217198f95b760093524c893b8ec7cba0fb472189c3239a3c87f2dfca6cf
-
SSDEEP
6144:0nlQpnkPAfVUCaJBr7kaCLfepSyRntuoJF:0nlQpkPAfiCaJBr2yptp
Score
10/10
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 1 IoCs
resource yara_rule behavioral1/memory/2920-0-0x0000000000140000-0x0000000000158000-memory.dmp unk_chinese_botnet -
Blocklisted process makes network request 62 IoCs
flow pid Process 3 2920 rundll32.exe 5 2920 rundll32.exe 8 2920 rundll32.exe 9 2920 rundll32.exe 10 2920 rundll32.exe 11 2920 rundll32.exe 12 2920 rundll32.exe 13 2920 rundll32.exe 14 2920 rundll32.exe 15 2920 rundll32.exe 16 2920 rundll32.exe 17 2920 rundll32.exe 18 2920 rundll32.exe 19 2920 rundll32.exe 20 2920 rundll32.exe 21 2920 rundll32.exe 22 2920 rundll32.exe 23 2920 rundll32.exe 24 2920 rundll32.exe 25 2920 rundll32.exe 26 2920 rundll32.exe 27 2920 rundll32.exe 28 2920 rundll32.exe 29 2920 rundll32.exe 30 2920 rundll32.exe 31 2920 rundll32.exe 32 2920 rundll32.exe 33 2920 rundll32.exe 34 2920 rundll32.exe 35 2920 rundll32.exe 36 2920 rundll32.exe 37 2920 rundll32.exe 38 2920 rundll32.exe 39 2920 rundll32.exe 40 2920 rundll32.exe 41 2920 rundll32.exe 42 2920 rundll32.exe 43 2920 rundll32.exe 44 2920 rundll32.exe 45 2920 rundll32.exe 46 2920 rundll32.exe 47 2920 rundll32.exe 48 2920 rundll32.exe 49 2920 rundll32.exe 50 2920 rundll32.exe 51 2920 rundll32.exe 52 2920 rundll32.exe 53 2920 rundll32.exe 54 2920 rundll32.exe 55 2920 rundll32.exe 56 2920 rundll32.exe 57 2920 rundll32.exe 58 2920 rundll32.exe 59 2920 rundll32.exe 60 2920 rundll32.exe 61 2920 rundll32.exe 62 2920 rundll32.exe 63 2920 rundll32.exe 64 2920 rundll32.exe 65 2920 rundll32.exe 66 2920 rundll32.exe 67 2920 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\Ywaqysm.exe" rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Ywaqysm.exe rundll32.exe File opened for modification C:\Windows\Ywaqysm.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2920 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2920 2516 rundll32.exe 28 PID 2516 wrote to memory of 2920 2516 rundll32.exe 28 PID 2516 wrote to memory of 2920 2516 rundll32.exe 28 PID 2516 wrote to memory of 2920 2516 rundll32.exe 28 PID 2516 wrote to memory of 2920 2516 rundll32.exe 28 PID 2516 wrote to memory of 2920 2516 rundll32.exe 28 PID 2516 wrote to memory of 2920 2516 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\544f8dfee031d02135551937f709db68_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\544f8dfee031d02135551937f709db68_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2920
-