Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll
-
Size
1.4MB
-
MD5
65be5073c6f4834d3d1c73594d97b75d
-
SHA1
06c6bc46067313ccaf0d0dad517f5f216f46b4be
-
SHA256
ab3e4f1244221a33e4995c6bad5e84a5533c633e7efa51c61fd958803ac5ec14
-
SHA512
a1f333d5001246ce6443d2203b31af97bc946326453680dd5d5c4f8c9c60ca473f844a1ee565b56ccc618434c794d449aa4f618604ee9a1b227e6203be8310c9
-
SSDEEP
24576:651RzX5yRZj474urTiFDhRj5m6tYFyIG4SN6u0QHsBQ4oxKy1fumXF:DZj474GOdcG76u0QMBQ4ox5umX
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1692 created 432 1692 rundll32.exe winlogon.exe -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 5 1692 rundll32.exe 7 1692 rundll32.exe 9 1692 rundll32.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2960 cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\DISK\ENUM rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM rundll32.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 1304 timeout.exe 2636 timeout.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FA47EF9F4168443796E2A534A90D9D36C1C18572 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FA47EF9F4168443796E2A534A90D9D36C1C18572\Blob = 030000000100000014000000fa47ef9f4168443796e2a534a90d9d36c1c185722000000001000000cd030000308203c9308202b1a003020102020900d98308e45f1730f5300d06092a864886f70d01010505003065310b30090603550406130255533111300f060355040713084e657720596f726b311d301b060355040a13144257506c617965722043657274696669636174653111300f060355040b13084257506c617965723111300f060355040313084257506c61796572301e170d3138303132323131353631375a170d3438303131353131353631375a3065310b30090603550406130255533111300f060355040713084e657720596f726b311d301b060355040a13144257506c617965722043657274696669636174653111300f060355040b13084257506c617965723111300f060355040313084257506c6179657230820122300d06092a864886f70d01010105000382010f003082010a0282010100addc4d3e91686c4409bc81594db895497f51ba4391d1cdd3a5f023b7b5b7386f03863ff8af25814b0b2d7de511bb4515936cad031e20a2be99c04b1ec2b21a6bd8f107b3ed9d67d1c455f2f6854c7e8310ac0ef014ff69119bb60f87a61dc4f40a49b62eb1af5493076cb90d736afe8aa9b3a80fe17818a95ffe33adfc2c0492437144c8edd4c2665c2172bc69bb3be29164b96550bc62e6dcb18fc71c795f2d1922ff394b095c02643e2859c75d9aa3121d6f6b22c785730ed45f66bef0acbda739ab1ff60e4cba43bed235fe6b979d1c0422b60068422c86945c6594854301e58ab2a2fb49121675b15c1c7793476093d3da84702e637a691ababf0268e58d0203010001a37c307a30120603551d130101ff040830060101ff020100301106096086480186f8420101040403020204300b0603551d0f040403020106301d0603551d250416301406082b0601050507030106082b06010505070302302506096086480186f842010d041816164f70656e53534c204341204365727469666963617465300d06092a864886f70d010105050003820101005114df932c65ef49a656d1315aabaea70d75c696ae6060766818ed0dc95ee86d99ec858118e7727ac355ad5f71e98e210b89ec87cccacee7ca1146aba9537a08b1d8f8543a700c4f5c895eb81b9681438deaa8905cd0852209dab68baa845bb3d56159e6b2463f11f7a5936bbc887841d75ccb09401be88581a079d49236a37dcbe8a3fc538293a6d4842db85ec8be5faa9bafc453de3be56f8d0bb73a79c193d78bec90ed22b54151a9a42051d9d102c75bce07be4bb4273bc117ba2e47b544d3e656adaa88ccea61274dde5a966df5212270ca2f3fb025ef2cf6938caaa9fc7a4dbc214a2ced10b44740dd2d7449772849fd4806e594c19586089f6a56f7bf rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E\Blob = 03000000010000001400000026d9e607fff0c58c7844b47ff8b6e079e5a2220e2000000001000000fd030000308203f9308202e1a003020102020900b6e1abf38b9ab41a300d06092a864886f70d0101050500307d310b300906035504061302494c3111300f06035504081308477573682044616e3112301006035504071309486572747a696c69613121301f060355040a1318477265656e5465616d20496e7465726e65742c204c74642e310c300a060355040b1303576562311630140603550403130d636c6f756467756172642e6d65301e170d3134303732333137323531355a170d3434303731353137323531355a307d310b300906035504061302494c3111300f06035504081308477573682044616e3112301006035504071309486572747a696c69613121301f060355040a1318477265656e5465616d20496e7465726e65742c204c74642e310c300a060355040b1303576562311630140603550403130d636c6f756467756172642e6d6530820122300d06092a864886f70d01010105000382010f003082010a0282010100be81e2dbe640e8c8a9e76c999ef6e0c46742128d3d0474d43d2849abf5149c8294cf2fb58de6bc42b190042de09615a65e6a5a13b3cd9c5db30d6cb92b8776842df83410d8516064c11ffb80aba7ca30a5f2a7c314a1ce63d4a02a595ba97b0a11d23466cbfc2356413ed7be195bd838cc79293620f376adc5b3130b538128903b41879fba875df7df874e5d88be90c9fd1e5a9c16579f28e26c59c8616de1acbf052bf74711a0382b7c6c8a7aab31a65767bba43585ff4d7c14ceceb096f92accc2059fdae11c12c3be346f1e35e21cd90598f223a6ecc40e601af56e5f60ef694cbcdc03b2ac0dbd8fa65467cedccb2f46bce1339520a963394a35e56ab7870203010001a37c307a30120603551d130101ff040830060101ff020100301106096086480186f8420101040403020204300b0603551d0f040403020106301d0603551d250416301406082b0601050507030106082b06010505070302302506096086480186f842010d041816164f70656e53534c204341204365727469666963617465300d06092a864886f70d010105050003820101008b5c1a22ece724034f3fd5be07c19a706a076ecbdc9d799800dc1cef121b7cc1e3219de83111ef7b7a25cd677079c85a94cebd99ddeb21d6eb3afda74f3bcbfd8d7d25da45581310ae6321c41d88b245102c060edb76875faea630f56daa88b17e811cf3f6dabee21a56f281e826b7e2d8499eb622cba18b498749de17300b36341e9cb2c76cf952429706bf4743841c7f6d4ef8e0e96dcdd905de86b8161c446f7b387d76744a16ecd1f2813933669cb9fee2ed52f3a25e5056a9d0f2dc9eeadf85352caedf013f1deca04331a3df29b83221a09e65263a94af9652c5871acbff896936af81372731bcad9fd3ce4db1c057c2c7c54997b879fcfb0b8325429a rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepid process 1692 rundll32.exe 1692 rundll32.exe 1692 rundll32.exe 1692 rundll32.exe 1692 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1692 rundll32.exe Token: SeDebugPrivilege 1692 rundll32.exe Token: SeDebugPrivilege 1692 rundll32.exe Token: SeDebugPrivilege 1692 rundll32.exe Token: SeDebugPrivilege 1692 rundll32.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
rundll32.exerundll32.execmd.exedescription pid process target process PID 1832 wrote to memory of 1692 1832 rundll32.exe rundll32.exe PID 1832 wrote to memory of 1692 1832 rundll32.exe rundll32.exe PID 1832 wrote to memory of 1692 1832 rundll32.exe rundll32.exe PID 1832 wrote to memory of 1692 1832 rundll32.exe rundll32.exe PID 1832 wrote to memory of 1692 1832 rundll32.exe rundll32.exe PID 1832 wrote to memory of 1692 1832 rundll32.exe rundll32.exe PID 1832 wrote to memory of 1692 1832 rundll32.exe rundll32.exe PID 1692 wrote to memory of 1964 1692 rundll32.exe regsvr32.exe PID 1692 wrote to memory of 1964 1692 rundll32.exe regsvr32.exe PID 1692 wrote to memory of 1964 1692 rundll32.exe regsvr32.exe PID 1692 wrote to memory of 1964 1692 rundll32.exe regsvr32.exe PID 1692 wrote to memory of 1964 1692 rundll32.exe regsvr32.exe PID 1692 wrote to memory of 1964 1692 rundll32.exe regsvr32.exe PID 1692 wrote to memory of 1964 1692 rundll32.exe regsvr32.exe PID 1692 wrote to memory of 2960 1692 rundll32.exe cmd.exe PID 1692 wrote to memory of 2960 1692 rundll32.exe cmd.exe PID 1692 wrote to memory of 2960 1692 rundll32.exe cmd.exe PID 1692 wrote to memory of 2960 1692 rundll32.exe cmd.exe PID 2960 wrote to memory of 1304 2960 cmd.exe timeout.exe PID 2960 wrote to memory of 1304 2960 cmd.exe timeout.exe PID 2960 wrote to memory of 1304 2960 cmd.exe timeout.exe PID 2960 wrote to memory of 1304 2960 cmd.exe timeout.exe PID 2960 wrote to memory of 2636 2960 cmd.exe timeout.exe PID 2960 wrote to memory of 2636 2960 cmd.exe timeout.exe PID 2960 wrote to memory of 2636 2960 cmd.exe timeout.exe PID 2960 wrote to memory of 2636 2960 cmd.exe timeout.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll" /i /n /s:"$$qTRjZQ8H7KumVTUugD-inHQ4H5YQVfDhdgjESvVa9HdihqG0ud5wlSSjY81wdZ9cgc5MGH8AlAT6bSNGUOCObqxDI60MSJyzhYgF6b5RMrnUlTUqmGyhAqfUM9We4eotwkcSS3peLG_2libIuVnT26UvbaHpVqqHt5bDFkaGy3IdnwN3hBxKMKVC_E6RBf9XyZnE156OmRWtGhWyK-lSTs5FFHyquOGfObkQOuYy2cLfUA9lkoVAMIFtykQh5wCqtnGIgQxQ4zgrpmz6x7A8bMI1mGnekmuBWrjxAAPt3L4HafH52M9ms7AxDWIF-8jFfHit2bV51M4o3FRRjllSuBIhg4o_P8AsLYp9OrE7iA1mZLu94mx2bZPVBX268XblEknvuRRZhUFUXLbGshqrVk42YbzuyqIL_Yy11Lj-V4MqXL_BtkrdyujJcINh_sece1WkVOARx2i65KHvfxFHiC1B8CiGds4azEqxxjs7kpc15b6tGb61Uxe04hoOTHGwE2Fo2Sf5gzYmG8FFI8dDT0uQLvBNHcFe4O37MrRRdemt3OH9Ld0Hq4pSjAaGEqq0Pj8U91K3f5-L20XBrVrJdgjBYt_xsGd29YX10TR61wfpGNz3MjvEy5whcAW7Cz4gz_nL6RoRS1esVID2CaEgSssBOdjrgwQQ$$"2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll,#12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c for /l %x in (1, 1, 2) do del /Q "C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll" & timeout /t 53⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1692-0-0x0000000074CB1000-0x0000000074D97000-memory.dmpFilesize
920KB
-
memory/1692-1-0x0000000074CB0000-0x0000000074E1F000-memory.dmpFilesize
1.4MB
-
memory/1692-2-0x0000000074CB0000-0x0000000074E1F000-memory.dmpFilesize
1.4MB
-
memory/1692-7-0x0000000074CB1000-0x0000000074D97000-memory.dmpFilesize
920KB
-
memory/1964-3-0x0000000074CB0000-0x0000000074E1F000-memory.dmpFilesize
1.4MB
-
memory/1964-4-0x0000000074CB0000-0x0000000074E1F000-memory.dmpFilesize
1.4MB
-
memory/1964-5-0x0000000074CB0000-0x0000000074E1F000-memory.dmpFilesize
1.4MB
-
memory/1964-6-0x0000000074CB0000-0x0000000074E1F000-memory.dmpFilesize
1.4MB