Analysis
-
max time kernel
67s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 01:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll
-
Size
648KB
-
MD5
041ebd55472e90b6539ed5d520c01f99
-
SHA1
94cd854b532681dfce63dcd26275ffe735c2cfc2
-
SHA256
dbe9477ae91c832c2f8749829b9300435efda9299c6dd2b1bd06d49452083827
-
SHA512
371e5d64c9857b5c417a1080f97911a24c0001d60a989052bafe336264b1a858304f7abb1944de6d799e5e8019c78c32e58103d64dc32ee731cd14e2e33856d7
-
SSDEEP
12288:ftFeHgffXM9vO6Ca7urSHjoPmWnj+AtPQZwGWXzwjGFiJEvSm6l:fxffXMD7urYinnjvteJWXZievSHl
Malware Config
Extracted
Family
zloader
Botnet
miguel
Campaign
10/04
C2
https://gynrhcoe.pw/wp-config.php
https://wlqaqife.icu/wp-config.php
Attributes
-
build_id
142
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1312 set thread context of 2508 1312 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2508 msiexec.exe Token: SeSecurityPrivilege 2508 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4944 wrote to memory of 1312 4944 rundll32.exe rundll32.exe PID 4944 wrote to memory of 1312 4944 rundll32.exe rundll32.exe PID 4944 wrote to memory of 1312 4944 rundll32.exe rundll32.exe PID 1312 wrote to memory of 2508 1312 rundll32.exe msiexec.exe PID 1312 wrote to memory of 2508 1312 rundll32.exe msiexec.exe PID 1312 wrote to memory of 2508 1312 rundll32.exe msiexec.exe PID 1312 wrote to memory of 2508 1312 rundll32.exe msiexec.exe PID 1312 wrote to memory of 2508 1312 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\041ebd55472e90b6539ed5d520c01f99_JaffaCakes118.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1312-0-0x0000000075430000-0x00000000754E9000-memory.dmpFilesize
740KB
-
memory/1312-1-0x0000000075430000-0x00000000754E9000-memory.dmpFilesize
740KB
-
memory/1312-2-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/1312-9-0x0000000075430000-0x00000000754E9000-memory.dmpFilesize
740KB
-
memory/2508-7-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2508-11-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2508-12-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB