Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 04:03
Behavioral task
behavioral1
Sample
5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll
Resource
win7-20240508-en
windows7-x64
6 signatures
150 seconds
General
-
Target
5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll
-
Size
3.0MB
-
MD5
5d166d70872fc980fd4841c6ba7823ea
-
SHA1
78a6e2edc57afbe14383a2938e92af90d5a8b8c3
-
SHA256
79a392feef17c2efe5616ef0d7d0b94ae1d796677c227e09f8b5f5451c500b19
-
SHA512
673e3694802a4ce63e544a5083545fa2df8af51230f2050a207ecc98af497f5c6ba9a8505e5726f2752f78dfc1bda7b89304e5de8da497c50ac3eda0c24557a4
-
SSDEEP
49152:HYmFpKMBznrnNjDoqIMSlePda3HITUYVUanQcj4wjNW6+qUIF5Hw+:4mewrnJDoqIT3XIgYV3HjJjNoOB
Malware Config
Signatures
-
Detect Blackmoon payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-2-0x0000000010000000-0x0000000010753000-memory.dmp family_blackmoon behavioral1/memory/1728-3-0x0000000010000000-0x0000000010753000-memory.dmp family_blackmoon behavioral1/memory/1728-4-0x0000000010000000-0x0000000010753000-memory.dmp family_blackmoon behavioral1/memory/1728-20-0x0000000010000000-0x0000000010753000-memory.dmp family_blackmoon behavioral1/memory/1728-22-0x0000000010000000-0x0000000010753000-memory.dmp family_blackmoon behavioral1/memory/1728-21-0x0000000010000000-0x0000000010753000-memory.dmp family_blackmoon -
Processes:
resource yara_rule behavioral1/memory/1728-0-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect behavioral1/memory/1728-1-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect behavioral1/memory/1728-2-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect behavioral1/memory/1728-3-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect behavioral1/memory/1728-4-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect behavioral1/memory/1728-19-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect behavioral1/memory/1728-20-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect behavioral1/memory/1728-22-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect behavioral1/memory/1728-21-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepid process 1728 rundll32.exe 1728 rundll32.exe 1728 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1728 rundll32.exe Token: SeIncreaseQuotaPrivilege 2704 WMIC.exe Token: SeSecurityPrivilege 2704 WMIC.exe Token: SeTakeOwnershipPrivilege 2704 WMIC.exe Token: SeLoadDriverPrivilege 2704 WMIC.exe Token: SeSystemProfilePrivilege 2704 WMIC.exe Token: SeSystemtimePrivilege 2704 WMIC.exe Token: SeProfSingleProcessPrivilege 2704 WMIC.exe Token: SeIncBasePriorityPrivilege 2704 WMIC.exe Token: SeCreatePagefilePrivilege 2704 WMIC.exe Token: SeBackupPrivilege 2704 WMIC.exe Token: SeRestorePrivilege 2704 WMIC.exe Token: SeShutdownPrivilege 2704 WMIC.exe Token: SeDebugPrivilege 2704 WMIC.exe Token: SeSystemEnvironmentPrivilege 2704 WMIC.exe Token: SeRemoteShutdownPrivilege 2704 WMIC.exe Token: SeUndockPrivilege 2704 WMIC.exe Token: SeManageVolumePrivilege 2704 WMIC.exe Token: 33 2704 WMIC.exe Token: 34 2704 WMIC.exe Token: 35 2704 WMIC.exe Token: SeIncreaseQuotaPrivilege 2704 WMIC.exe Token: SeSecurityPrivilege 2704 WMIC.exe Token: SeTakeOwnershipPrivilege 2704 WMIC.exe Token: SeLoadDriverPrivilege 2704 WMIC.exe Token: SeSystemProfilePrivilege 2704 WMIC.exe Token: SeSystemtimePrivilege 2704 WMIC.exe Token: SeProfSingleProcessPrivilege 2704 WMIC.exe Token: SeIncBasePriorityPrivilege 2704 WMIC.exe Token: SeCreatePagefilePrivilege 2704 WMIC.exe Token: SeBackupPrivilege 2704 WMIC.exe Token: SeRestorePrivilege 2704 WMIC.exe Token: SeShutdownPrivilege 2704 WMIC.exe Token: SeDebugPrivilege 2704 WMIC.exe Token: SeSystemEnvironmentPrivilege 2704 WMIC.exe Token: SeRemoteShutdownPrivilege 2704 WMIC.exe Token: SeUndockPrivilege 2704 WMIC.exe Token: SeManageVolumePrivilege 2704 WMIC.exe Token: 33 2704 WMIC.exe Token: 34 2704 WMIC.exe Token: 35 2704 WMIC.exe Token: SeIncreaseQuotaPrivilege 2520 WMIC.exe Token: SeSecurityPrivilege 2520 WMIC.exe Token: SeTakeOwnershipPrivilege 2520 WMIC.exe Token: SeLoadDriverPrivilege 2520 WMIC.exe Token: SeSystemProfilePrivilege 2520 WMIC.exe Token: SeSystemtimePrivilege 2520 WMIC.exe Token: SeProfSingleProcessPrivilege 2520 WMIC.exe Token: SeIncBasePriorityPrivilege 2520 WMIC.exe Token: SeCreatePagefilePrivilege 2520 WMIC.exe Token: SeBackupPrivilege 2520 WMIC.exe Token: SeRestorePrivilege 2520 WMIC.exe Token: SeShutdownPrivilege 2520 WMIC.exe Token: SeDebugPrivilege 2520 WMIC.exe Token: SeSystemEnvironmentPrivilege 2520 WMIC.exe Token: SeRemoteShutdownPrivilege 2520 WMIC.exe Token: SeUndockPrivilege 2520 WMIC.exe Token: SeManageVolumePrivilege 2520 WMIC.exe Token: 33 2520 WMIC.exe Token: 34 2520 WMIC.exe Token: 35 2520 WMIC.exe Token: SeIncreaseQuotaPrivilege 2520 WMIC.exe Token: SeSecurityPrivilege 2520 WMIC.exe Token: SeTakeOwnershipPrivilege 2520 WMIC.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
rundll32.exerundll32.execmd.execmd.execmd.execmd.exedescription pid process target process PID 348 wrote to memory of 1728 348 rundll32.exe rundll32.exe PID 348 wrote to memory of 1728 348 rundll32.exe rundll32.exe PID 348 wrote to memory of 1728 348 rundll32.exe rundll32.exe PID 348 wrote to memory of 1728 348 rundll32.exe rundll32.exe PID 348 wrote to memory of 1728 348 rundll32.exe rundll32.exe PID 348 wrote to memory of 1728 348 rundll32.exe rundll32.exe PID 348 wrote to memory of 1728 348 rundll32.exe rundll32.exe PID 1728 wrote to memory of 2620 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2620 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2620 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2620 1728 rundll32.exe cmd.exe PID 2620 wrote to memory of 2704 2620 cmd.exe WMIC.exe PID 2620 wrote to memory of 2704 2620 cmd.exe WMIC.exe PID 2620 wrote to memory of 2704 2620 cmd.exe WMIC.exe PID 2620 wrote to memory of 2704 2620 cmd.exe WMIC.exe PID 1728 wrote to memory of 2768 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2768 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2768 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2768 1728 rundll32.exe cmd.exe PID 2768 wrote to memory of 2520 2768 cmd.exe WMIC.exe PID 2768 wrote to memory of 2520 2768 cmd.exe WMIC.exe PID 2768 wrote to memory of 2520 2768 cmd.exe WMIC.exe PID 2768 wrote to memory of 2520 2768 cmd.exe WMIC.exe PID 1728 wrote to memory of 2664 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2664 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2664 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2664 1728 rundll32.exe cmd.exe PID 2664 wrote to memory of 2604 2664 cmd.exe WMIC.exe PID 2664 wrote to memory of 2604 2664 cmd.exe WMIC.exe PID 2664 wrote to memory of 2604 2664 cmd.exe WMIC.exe PID 2664 wrote to memory of 2604 2664 cmd.exe WMIC.exe PID 1728 wrote to memory of 2512 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2512 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2512 1728 rundll32.exe cmd.exe PID 1728 wrote to memory of 2512 1728 rundll32.exe cmd.exe PID 2512 wrote to memory of 2612 2512 cmd.exe WMIC.exe PID 2512 wrote to memory of 2612 2512 cmd.exe WMIC.exe PID 2512 wrote to memory of 2612 2512 cmd.exe WMIC.exe PID 2512 wrote to memory of 2612 2512 cmd.exe WMIC.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic BASEBOARD get product/value3⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic BASEBOARD get product/value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value3⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic Path Win32_DisplayConfiguration get DeviceName/value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic cpu get ProcessorId/value3⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get ProcessorId/value4⤵PID:2604
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic DISKDRIVE get Signature/value3⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic DISKDRIVE get Signature/value4⤵PID:2612