Analysis
-
max time kernel
142s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 04:03
Behavioral task
behavioral1
Sample
5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll
Resource
win7-20240508-en
windows7-x64
6 signatures
150 seconds
General
-
Target
5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll
-
Size
3.0MB
-
MD5
5d166d70872fc980fd4841c6ba7823ea
-
SHA1
78a6e2edc57afbe14383a2938e92af90d5a8b8c3
-
SHA256
79a392feef17c2efe5616ef0d7d0b94ae1d796677c227e09f8b5f5451c500b19
-
SHA512
673e3694802a4ce63e544a5083545fa2df8af51230f2050a207ecc98af497f5c6ba9a8505e5726f2752f78dfc1bda7b89304e5de8da497c50ac3eda0c24557a4
-
SSDEEP
49152:HYmFpKMBznrnNjDoqIMSlePda3HITUYVUanQcj4wjNW6+qUIF5Hw+:4mewrnJDoqIT3XIgYV3HjJjNoOB
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3112-1-0x0000000010000000-0x0000000010753000-memory.dmp family_blackmoon -
Processes:
resource yara_rule behavioral2/memory/3112-0-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect behavioral2/memory/3112-1-0x0000000010000000-0x0000000010753000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3112 rundll32.exe 3112 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 548 WMIC.exe Token: SeSecurityPrivilege 548 WMIC.exe Token: SeTakeOwnershipPrivilege 548 WMIC.exe Token: SeLoadDriverPrivilege 548 WMIC.exe Token: SeSystemProfilePrivilege 548 WMIC.exe Token: SeSystemtimePrivilege 548 WMIC.exe Token: SeProfSingleProcessPrivilege 548 WMIC.exe Token: SeIncBasePriorityPrivilege 548 WMIC.exe Token: SeCreatePagefilePrivilege 548 WMIC.exe Token: SeBackupPrivilege 548 WMIC.exe Token: SeRestorePrivilege 548 WMIC.exe Token: SeShutdownPrivilege 548 WMIC.exe Token: SeDebugPrivilege 548 WMIC.exe Token: SeSystemEnvironmentPrivilege 548 WMIC.exe Token: SeRemoteShutdownPrivilege 548 WMIC.exe Token: SeUndockPrivilege 548 WMIC.exe Token: SeManageVolumePrivilege 548 WMIC.exe Token: 33 548 WMIC.exe Token: 34 548 WMIC.exe Token: 35 548 WMIC.exe Token: 36 548 WMIC.exe Token: SeIncreaseQuotaPrivilege 548 WMIC.exe Token: SeSecurityPrivilege 548 WMIC.exe Token: SeTakeOwnershipPrivilege 548 WMIC.exe Token: SeLoadDriverPrivilege 548 WMIC.exe Token: SeSystemProfilePrivilege 548 WMIC.exe Token: SeSystemtimePrivilege 548 WMIC.exe Token: SeProfSingleProcessPrivilege 548 WMIC.exe Token: SeIncBasePriorityPrivilege 548 WMIC.exe Token: SeCreatePagefilePrivilege 548 WMIC.exe Token: SeBackupPrivilege 548 WMIC.exe Token: SeRestorePrivilege 548 WMIC.exe Token: SeShutdownPrivilege 548 WMIC.exe Token: SeDebugPrivilege 548 WMIC.exe Token: SeSystemEnvironmentPrivilege 548 WMIC.exe Token: SeRemoteShutdownPrivilege 548 WMIC.exe Token: SeUndockPrivilege 548 WMIC.exe Token: SeManageVolumePrivilege 548 WMIC.exe Token: 33 548 WMIC.exe Token: 34 548 WMIC.exe Token: 35 548 WMIC.exe Token: 36 548 WMIC.exe Token: SeIncreaseQuotaPrivilege 2360 WMIC.exe Token: SeSecurityPrivilege 2360 WMIC.exe Token: SeTakeOwnershipPrivilege 2360 WMIC.exe Token: SeLoadDriverPrivilege 2360 WMIC.exe Token: SeSystemProfilePrivilege 2360 WMIC.exe Token: SeSystemtimePrivilege 2360 WMIC.exe Token: SeProfSingleProcessPrivilege 2360 WMIC.exe Token: SeIncBasePriorityPrivilege 2360 WMIC.exe Token: SeCreatePagefilePrivilege 2360 WMIC.exe Token: SeBackupPrivilege 2360 WMIC.exe Token: SeRestorePrivilege 2360 WMIC.exe Token: SeShutdownPrivilege 2360 WMIC.exe Token: SeDebugPrivilege 2360 WMIC.exe Token: SeSystemEnvironmentPrivilege 2360 WMIC.exe Token: SeRemoteShutdownPrivilege 2360 WMIC.exe Token: SeUndockPrivilege 2360 WMIC.exe Token: SeManageVolumePrivilege 2360 WMIC.exe Token: 33 2360 WMIC.exe Token: 34 2360 WMIC.exe Token: 35 2360 WMIC.exe Token: 36 2360 WMIC.exe Token: SeIncreaseQuotaPrivilege 2360 WMIC.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
rundll32.exerundll32.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2540 wrote to memory of 3112 2540 rundll32.exe rundll32.exe PID 2540 wrote to memory of 3112 2540 rundll32.exe rundll32.exe PID 2540 wrote to memory of 3112 2540 rundll32.exe rundll32.exe PID 3112 wrote to memory of 920 3112 rundll32.exe cmd.exe PID 3112 wrote to memory of 920 3112 rundll32.exe cmd.exe PID 3112 wrote to memory of 920 3112 rundll32.exe cmd.exe PID 920 wrote to memory of 548 920 cmd.exe WMIC.exe PID 920 wrote to memory of 548 920 cmd.exe WMIC.exe PID 920 wrote to memory of 548 920 cmd.exe WMIC.exe PID 3112 wrote to memory of 3860 3112 rundll32.exe cmd.exe PID 3112 wrote to memory of 3860 3112 rundll32.exe cmd.exe PID 3112 wrote to memory of 3860 3112 rundll32.exe cmd.exe PID 3860 wrote to memory of 2360 3860 cmd.exe WMIC.exe PID 3860 wrote to memory of 2360 3860 cmd.exe WMIC.exe PID 3860 wrote to memory of 2360 3860 cmd.exe WMIC.exe PID 3112 wrote to memory of 3632 3112 rundll32.exe cmd.exe PID 3112 wrote to memory of 3632 3112 rundll32.exe cmd.exe PID 3112 wrote to memory of 3632 3112 rundll32.exe cmd.exe PID 3632 wrote to memory of 4372 3632 cmd.exe WMIC.exe PID 3632 wrote to memory of 4372 3632 cmd.exe WMIC.exe PID 3632 wrote to memory of 4372 3632 cmd.exe WMIC.exe PID 3112 wrote to memory of 1612 3112 rundll32.exe cmd.exe PID 3112 wrote to memory of 1612 3112 rundll32.exe cmd.exe PID 3112 wrote to memory of 1612 3112 rundll32.exe cmd.exe PID 1612 wrote to memory of 2208 1612 cmd.exe WMIC.exe PID 1612 wrote to memory of 2208 1612 cmd.exe WMIC.exe PID 1612 wrote to memory of 2208 1612 cmd.exe WMIC.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic BASEBOARD get product/value3⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic BASEBOARD get product/value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value3⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic Path Win32_DisplayConfiguration get DeviceName/value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic cpu get ProcessorId/value3⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get ProcessorId/value4⤵PID:4372
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic DISKDRIVE get Signature/value3⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic DISKDRIVE get Signature/value4⤵PID:2208