Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
fbb043fa3913efacafd5b4000f5daa0b_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fbb043fa3913efacafd5b4000f5daa0b_JaffaCakes118.dll
Resource
win10v2004-20240412-en
General
-
Target
fbb043fa3913efacafd5b4000f5daa0b_JaffaCakes118.dll
-
Size
124KB
-
MD5
fbb043fa3913efacafd5b4000f5daa0b
-
SHA1
09e8cee71c786b6cdb8a7fd0009ba1746a332add
-
SHA256
f5aff0a5441e93f11d3a075de293d60123a0b156187f435b24bb314cc756b17c
-
SHA512
cd5219191d240ff1bf96982264d3cc054061a51c3372e15d8ca33833433ba420583ea64b45b937bc46272e35759e2ab1284982355488b0099b093d38d0942128
-
SSDEEP
1536:zQFTrStYIOvdwx71+CBHJoOYdWuWbsgTXfZzALGVAjnIqTsmaeCQtt5+R:IStxydoxtHbYdVabZaNkqWeCQtt5+R
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1736 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1772 wrote to memory of 1736 1772 rundll32.exe rundll32.exe PID 1772 wrote to memory of 1736 1772 rundll32.exe rundll32.exe PID 1772 wrote to memory of 1736 1772 rundll32.exe rundll32.exe PID 1772 wrote to memory of 1736 1772 rundll32.exe rundll32.exe PID 1772 wrote to memory of 1736 1772 rundll32.exe rundll32.exe PID 1772 wrote to memory of 1736 1772 rundll32.exe rundll32.exe PID 1772 wrote to memory of 1736 1772 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fbb043fa3913efacafd5b4000f5daa0b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fbb043fa3913efacafd5b4000f5daa0b_JaffaCakes118.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses