Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 08:29
Static task
static1
Behavioral task
behavioral1
Sample
0060230d80dcbcbddc34233d300730b1_JaffaCakes118.dll
Resource
win7-20240220-en
General
-
Target
0060230d80dcbcbddc34233d300730b1_JaffaCakes118.dll
-
Size
92KB
-
MD5
0060230d80dcbcbddc34233d300730b1
-
SHA1
2aa8618a69e41d3cefdee303a51ffda6fd094b95
-
SHA256
d42f72e21b55109db9a44d26d066f86e0c09c6e80e48bd5ec63f6d31d236e62b
-
SHA512
30485da212cba9324e9b1a65865fe15f8c640b9d85ea7ff8b49c7df2b2733681356bf8477866d08d0e4538ad420b366d99ea6eac04bee7945739bb945f28fd6a
-
SSDEEP
1536:gy5iJAqTiZg4FvOnAWEhMogLYS3LORwQzv8EuRkzmWuxM:XU0me6ogLdOepEuNWuxM
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 1712 rundll32.exe Token: SeTcbPrivilege 1712 rundll32.exe Token: SeChangeNotifyPrivilege 1712 rundll32.exe Token: SeCreateTokenPrivilege 1712 rundll32.exe Token: SeBackupPrivilege 1712 rundll32.exe Token: SeRestorePrivilege 1712 rundll32.exe Token: SeIncreaseQuotaPrivilege 1712 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 1712 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3932 wrote to memory of 1712 3932 rundll32.exe 91 PID 3932 wrote to memory of 1712 3932 rundll32.exe 91 PID 3932 wrote to memory of 1712 3932 rundll32.exe 91
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0060230d80dcbcbddc34233d300730b1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0060230d80dcbcbddc34233d300730b1_JaffaCakes118.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵PID:2880