Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 04:47
Static task
static1
Behavioral task
behavioral1
Sample
0467e10fff35ed4a83402cd910e01f64_JaffaCakes118.dll
Resource
win7-20231129-en
General
-
Target
0467e10fff35ed4a83402cd910e01f64_JaffaCakes118.dll
-
Size
83KB
-
MD5
0467e10fff35ed4a83402cd910e01f64
-
SHA1
64198c58dbed811b4b956ffa4ee11386d35b3682
-
SHA256
8acd4e48c74793eecfe61b558dd1ef997384ae7e83db9d63ea84fe77ad38477c
-
SHA512
11d0d3f96ebb3c25d2f07ba5aa4c13810cc009b0e12c129cf273944e97cd33d67548e3c54ae56301a9075a16f555d7e4f2459cfaf8c11fd33d05c4afb0581fb4
-
SSDEEP
1536:QdNmO3D3dqL1+rv8yU2fpDhNs1+EOB2xDnVpskzZF//dU/Z:UNZT3UB0hCrOB2lB//dU/
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3808 rundll32.exe 3808 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rundll32.exedescription pid process Token: SeImpersonatePrivilege 3808 rundll32.exe Token: SeTcbPrivilege 3808 rundll32.exe Token: SeChangeNotifyPrivilege 3808 rundll32.exe Token: SeCreateTokenPrivilege 3808 rundll32.exe Token: SeBackupPrivilege 3808 rundll32.exe Token: SeRestorePrivilege 3808 rundll32.exe Token: SeIncreaseQuotaPrivilege 3808 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 3808 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3208 wrote to memory of 3808 3208 rundll32.exe rundll32.exe PID 3208 wrote to memory of 3808 3208 rundll32.exe rundll32.exe PID 3208 wrote to memory of 3808 3208 rundll32.exe rundll32.exe PID 3808 wrote to memory of 2068 3808 rundll32.exe cmd.exe PID 3808 wrote to memory of 2068 3808 rundll32.exe cmd.exe PID 3808 wrote to memory of 2068 3808 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0467e10fff35ed4a83402cd910e01f64_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0467e10fff35ed4a83402cd910e01f64_JaffaCakes118.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /K3⤵