Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 01:55
Static task
static1
Behavioral task
behavioral1
Sample
041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll
-
Size
648KB
-
MD5
041ebd55472e90b6539ed5d520c01f99
-
SHA1
94cd854b532681dfce63dcd26275ffe735c2cfc2
-
SHA256
dbe9477ae91c832c2f8749829b9300435efda9299c6dd2b1bd06d49452083827
-
SHA512
371e5d64c9857b5c417a1080f97911a24c0001d60a989052bafe336264b1a858304f7abb1944de6d799e5e8019c78c32e58103d64dc32ee731cd14e2e33856d7
-
SSDEEP
12288:ftFeHgffXM9vO6Ca7urSHjoPmWnj+AtPQZwGWXzwjGFiJEvSm6l:fxffXMD7urYinnjvteJWXZievSHl
Malware Config
Extracted
zloader
miguel
10/04
https://gynrhcoe.pw/wp-config.php
https://wlqaqife.icu/wp-config.php
-
build_id
142
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2952 set thread context of 800 2952 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 800 msiexec.exe Token: SeSecurityPrivilege 800 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2344 wrote to memory of 2952 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2952 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2952 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2952 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2952 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2952 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2952 2344 rundll32.exe rundll32.exe PID 2952 wrote to memory of 800 2952 rundll32.exe msiexec.exe PID 2952 wrote to memory of 800 2952 rundll32.exe msiexec.exe PID 2952 wrote to memory of 800 2952 rundll32.exe msiexec.exe PID 2952 wrote to memory of 800 2952 rundll32.exe msiexec.exe PID 2952 wrote to memory of 800 2952 rundll32.exe msiexec.exe PID 2952 wrote to memory of 800 2952 rundll32.exe msiexec.exe PID 2952 wrote to memory of 800 2952 rundll32.exe msiexec.exe PID 2952 wrote to memory of 800 2952 rundll32.exe msiexec.exe PID 2952 wrote to memory of 800 2952 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/800-16-0x0000000000090000-0x00000000000C4000-memory.dmpFilesize
208KB
-
memory/800-15-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/800-13-0x0000000000090000-0x00000000000C4000-memory.dmpFilesize
208KB
-
memory/800-19-0x0000000000090000-0x00000000000C4000-memory.dmpFilesize
208KB
-
memory/800-22-0x0000000000090000-0x00000000000C4000-memory.dmpFilesize
208KB
-
memory/800-23-0x0000000000090000-0x00000000000C4000-memory.dmpFilesize
208KB
-
memory/800-21-0x0000000000090000-0x00000000000C4000-memory.dmpFilesize
208KB
-
memory/800-24-0x0000000000090000-0x00000000000C4000-memory.dmpFilesize
208KB
-
memory/2952-0-0x0000000074F10000-0x0000000074FC9000-memory.dmpFilesize
740KB
-
memory/2952-2-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/2952-1-0x0000000074F10000-0x0000000074FC9000-memory.dmpFilesize
740KB
-
memory/2952-18-0x0000000074F10000-0x0000000074FC9000-memory.dmpFilesize
740KB