Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 01:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll
-
Size
648KB
-
MD5
041ebd55472e90b6539ed5d520c01f99
-
SHA1
94cd854b532681dfce63dcd26275ffe735c2cfc2
-
SHA256
dbe9477ae91c832c2f8749829b9300435efda9299c6dd2b1bd06d49452083827
-
SHA512
371e5d64c9857b5c417a1080f97911a24c0001d60a989052bafe336264b1a858304f7abb1944de6d799e5e8019c78c32e58103d64dc32ee731cd14e2e33856d7
-
SSDEEP
12288:ftFeHgffXM9vO6Ca7urSHjoPmWnj+AtPQZwGWXzwjGFiJEvSm6l:fxffXMD7urYinnjvteJWXZievSHl
Malware Config
Extracted
Family
zloader
Botnet
miguel
Campaign
10/04
C2
https://gynrhcoe.pw/wp-config.php
https://wlqaqife.icu/wp-config.php
Attributes
-
build_id
142
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2952 set thread context of 800 2952 rundll32.exe 31 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 800 msiexec.exe Token: SeSecurityPrivilege 800 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2952 2344 rundll32.exe 28 PID 2344 wrote to memory of 2952 2344 rundll32.exe 28 PID 2344 wrote to memory of 2952 2344 rundll32.exe 28 PID 2344 wrote to memory of 2952 2344 rundll32.exe 28 PID 2344 wrote to memory of 2952 2344 rundll32.exe 28 PID 2344 wrote to memory of 2952 2344 rundll32.exe 28 PID 2344 wrote to memory of 2952 2344 rundll32.exe 28 PID 2952 wrote to memory of 800 2952 rundll32.exe 31 PID 2952 wrote to memory of 800 2952 rundll32.exe 31 PID 2952 wrote to memory of 800 2952 rundll32.exe 31 PID 2952 wrote to memory of 800 2952 rundll32.exe 31 PID 2952 wrote to memory of 800 2952 rundll32.exe 31 PID 2952 wrote to memory of 800 2952 rundll32.exe 31 PID 2952 wrote to memory of 800 2952 rundll32.exe 31 PID 2952 wrote to memory of 800 2952 rundll32.exe 31 PID 2952 wrote to memory of 800 2952 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-