Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 04:47
Static task
static1
Behavioral task
behavioral1
Sample
0467e10fff35ed4a83402cd910e01f64_JaffaCakes118.dll
Resource
win7-20231129-en
General
-
Target
0467e10fff35ed4a83402cd910e01f64_JaffaCakes118.dll
-
Size
83KB
-
MD5
0467e10fff35ed4a83402cd910e01f64
-
SHA1
64198c58dbed811b4b956ffa4ee11386d35b3682
-
SHA256
8acd4e48c74793eecfe61b558dd1ef997384ae7e83db9d63ea84fe77ad38477c
-
SHA512
11d0d3f96ebb3c25d2f07ba5aa4c13810cc009b0e12c129cf273944e97cd33d67548e3c54ae56301a9075a16f555d7e4f2459cfaf8c11fd33d05c4afb0581fb4
-
SSDEEP
1536:QdNmO3D3dqL1+rv8yU2fpDhNs1+EOB2xDnVpskzZF//dU/Z:UNZT3UB0hCrOB2lB//dU/
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 2372 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rundll32.exedescription pid process Token: SeImpersonatePrivilege 2372 rundll32.exe Token: SeTcbPrivilege 2372 rundll32.exe Token: SeChangeNotifyPrivilege 2372 rundll32.exe Token: SeCreateTokenPrivilege 2372 rundll32.exe Token: SeBackupPrivilege 2372 rundll32.exe Token: SeRestorePrivilege 2372 rundll32.exe Token: SeIncreaseQuotaPrivilege 2372 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 2372 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2372 1652 rundll32.exe rundll32.exe PID 2372 wrote to memory of 2216 2372 rundll32.exe cmd.exe PID 2372 wrote to memory of 2216 2372 rundll32.exe cmd.exe PID 2372 wrote to memory of 2216 2372 rundll32.exe cmd.exe PID 2372 wrote to memory of 2216 2372 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0467e10fff35ed4a83402cd910e01f64_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0467e10fff35ed4a83402cd910e01f64_JaffaCakes118.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /K3⤵PID:2216