Analysis
-
max time kernel
139s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll
-
Size
1.4MB
-
MD5
65be5073c6f4834d3d1c73594d97b75d
-
SHA1
06c6bc46067313ccaf0d0dad517f5f216f46b4be
-
SHA256
ab3e4f1244221a33e4995c6bad5e84a5533c633e7efa51c61fd958803ac5ec14
-
SHA512
a1f333d5001246ce6443d2203b31af97bc946326453680dd5d5c4f8c9c60ca473f844a1ee565b56ccc618434c794d449aa4f618604ee9a1b227e6203be8310c9
-
SSDEEP
24576:651RzX5yRZj474urTiFDhRj5m6tYFyIG4SN6u0QHsBQ4oxKy1fumXF:DZj474GOdcG76u0QMBQ4ox5umX
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2280 created 608 2280 rundll32.exe winlogon.exe -
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ = "0" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll = "0" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C:\Windows\SysWOW64\rundll32.exe = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\ = "0" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\1716346001 = "0" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll = "0" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\{397F3C6B-406E-9D34-CE6A-1F5D0B21B113} = "0" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\rundll32.exe = "0" regsvr32.exe -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 38 2280 rundll32.exe 40 2280 rundll32.exe 42 2280 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM rundll32.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum rundll32.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 3380 timeout.exe 2600 timeout.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E\Blob = 03000000010000001400000026d9e607fff0c58c7844b47ff8b6e079e5a2220e2000000001000000fd030000308203f9308202e1a003020102020900b6e1abf38b9ab41a300d06092a864886f70d0101050500307d310b300906035504061302494c3111300f06035504081308477573682044616e3112301006035504071309486572747a696c69613121301f060355040a1318477265656e5465616d20496e7465726e65742c204c74642e310c300a060355040b1303576562311630140603550403130d636c6f756467756172642e6d65301e170d3134303732333137323531355a170d3434303731353137323531355a307d310b300906035504061302494c3111300f06035504081308477573682044616e3112301006035504071309486572747a696c69613121301f060355040a1318477265656e5465616d20496e7465726e65742c204c74642e310c300a060355040b1303576562311630140603550403130d636c6f756467756172642e6d6530820122300d06092a864886f70d01010105000382010f003082010a0282010100be81e2dbe640e8c8a9e76c999ef6e0c46742128d3d0474d43d2849abf5149c8294cf2fb58de6bc42b190042de09615a65e6a5a13b3cd9c5db30d6cb92b8776842df83410d8516064c11ffb80aba7ca30a5f2a7c314a1ce63d4a02a595ba97b0a11d23466cbfc2356413ed7be195bd838cc79293620f376adc5b3130b538128903b41879fba875df7df874e5d88be90c9fd1e5a9c16579f28e26c59c8616de1acbf052bf74711a0382b7c6c8a7aab31a65767bba43585ff4d7c14ceceb096f92accc2059fdae11c12c3be346f1e35e21cd90598f223a6ecc40e601af56e5f60ef694cbcdc03b2ac0dbd8fa65467cedccb2f46bce1339520a963394a35e56ab7870203010001a37c307a30120603551d130101ff040830060101ff020100301106096086480186f8420101040403020204300b0603551d0f040403020106301d0603551d250416301406082b0601050507030106082b06010505070302302506096086480186f842010d041816164f70656e53534c204341204365727469666963617465300d06092a864886f70d010105050003820101008b5c1a22ece724034f3fd5be07c19a706a076ecbdc9d799800dc1cef121b7cc1e3219de83111ef7b7a25cd677079c85a94cebd99ddeb21d6eb3afda74f3bcbfd8d7d25da45581310ae6321c41d88b245102c060edb76875faea630f56daa88b17e811cf3f6dabee21a56f281e826b7e2d8499eb622cba18b498749de17300b36341e9cb2c76cf952429706bf4743841c7f6d4ef8e0e96dcdd905de86b8161c446f7b387d76744a16ecd1f2813933669cb9fee2ed52f3a25e5056a9d0f2dc9eeadf85352caedf013f1deca04331a3df29b83221a09e65263a94af9652c5871acbff896936af81372731bcad9fd3ce4db1c057c2c7c54997b879fcfb0b8325429a rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FA47EF9F4168443796E2A534A90D9D36C1C18572 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FA47EF9F4168443796E2A534A90D9D36C1C18572\Blob = 030000000100000014000000fa47ef9f4168443796e2a534a90d9d36c1c185722000000001000000cd030000308203c9308202b1a003020102020900d98308e45f1730f5300d06092a864886f70d01010505003065310b30090603550406130255533111300f060355040713084e657720596f726b311d301b060355040a13144257506c617965722043657274696669636174653111300f060355040b13084257506c617965723111300f060355040313084257506c61796572301e170d3138303132323131353631375a170d3438303131353131353631375a3065310b30090603550406130255533111300f060355040713084e657720596f726b311d301b060355040a13144257506c617965722043657274696669636174653111300f060355040b13084257506c617965723111300f060355040313084257506c6179657230820122300d06092a864886f70d01010105000382010f003082010a0282010100addc4d3e91686c4409bc81594db895497f51ba4391d1cdd3a5f023b7b5b7386f03863ff8af25814b0b2d7de511bb4515936cad031e20a2be99c04b1ec2b21a6bd8f107b3ed9d67d1c455f2f6854c7e8310ac0ef014ff69119bb60f87a61dc4f40a49b62eb1af5493076cb90d736afe8aa9b3a80fe17818a95ffe33adfc2c0492437144c8edd4c2665c2172bc69bb3be29164b96550bc62e6dcb18fc71c795f2d1922ff394b095c02643e2859c75d9aa3121d6f6b22c785730ed45f66bef0acbda739ab1ff60e4cba43bed235fe6b979d1c0422b60068422c86945c6594854301e58ab2a2fb49121675b15c1c7793476093d3da84702e637a691ababf0268e58d0203010001a37c307a30120603551d130101ff040830060101ff020100301106096086480186f8420101040403020204300b0603551d0f040403020106301d0603551d250416301406082b0601050507030106082b06010505070302302506096086480186f842010d041816164f70656e53534c204341204365727469666963617465300d06092a864886f70d010105050003820101005114df932c65ef49a656d1315aabaea70d75c696ae6060766818ed0dc95ee86d99ec858118e7727ac355ad5f71e98e210b89ec87cccacee7ca1146aba9537a08b1d8f8543a700c4f5c895eb81b9681438deaa8905cd0852209dab68baa845bb3d56159e6b2463f11f7a5936bbc887841d75ccb09401be88581a079d49236a37dcbe8a3fc538293a6d4842db85ec8be5faa9bafc453de3be56f8d0bb73a79c193d78bec90ed22b54151a9a42051d9d102c75bce07be4bb4273bc117ba2e47b544d3e656adaa88ccea61274dde5a966df5212270ca2f3fb025ef2cf6938caaa9fc7a4dbc214a2ced10b44740dd2d7449772849fd4806e594c19586089f6a56f7bf rundll32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
rundll32.exepid process 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2280 rundll32.exe Token: SeDebugPrivilege 2280 rundll32.exe Token: SeDebugPrivilege 2280 rundll32.exe Token: SeDebugPrivilege 2280 rundll32.exe Token: SeDebugPrivilege 2280 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.execmd.exedescription pid process target process PID 1524 wrote to memory of 2280 1524 rundll32.exe rundll32.exe PID 1524 wrote to memory of 2280 1524 rundll32.exe rundll32.exe PID 1524 wrote to memory of 2280 1524 rundll32.exe rundll32.exe PID 2280 wrote to memory of 2668 2280 rundll32.exe regsvr32.exe PID 2280 wrote to memory of 2668 2280 rundll32.exe regsvr32.exe PID 2280 wrote to memory of 2668 2280 rundll32.exe regsvr32.exe PID 2280 wrote to memory of 620 2280 rundll32.exe cmd.exe PID 2280 wrote to memory of 620 2280 rundll32.exe cmd.exe PID 2280 wrote to memory of 620 2280 rundll32.exe cmd.exe PID 620 wrote to memory of 3380 620 cmd.exe timeout.exe PID 620 wrote to memory of 3380 620 cmd.exe timeout.exe PID 620 wrote to memory of 3380 620 cmd.exe timeout.exe PID 620 wrote to memory of 2600 620 cmd.exe timeout.exe PID 620 wrote to memory of 2600 620 cmd.exe timeout.exe PID 620 wrote to memory of 2600 620 cmd.exe timeout.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll" /i /n /s:"$$vu6AIFYxhOMk7W6IUZnJFL6hoDmJisMjRHTkfDTGXu_RTVlW5mu_-ZKaZTbMHBLhWPauzn9fBaJc1pwDNAjHZItVo55hv5PjHpk9Iv-lAzaNiCZU0Uc33bpr1oDY6gbC0_4Ejs2iySR7OqCPM8P56ktq2jb-KLSffOvki77arvCqN2JhvqSpzpCWLD1qAjtDOSF4U6SV7c2Dodd59maPgbK7aG5bJR2hkwKGtK87JaJ6lzPp73al6jTSn8Kzew1394Mtb44krmvPCd3fbVpO5FT4WqjcbyoR2Cd_wnvWnd7yAkylni1A6e1qeJGFXMOiaH30ycMirGR6G8xLD3K6g6xh3lzgDL8LKZi_VAIt5SGpTYA7oPRRLJPeVlQICwMNMu0tIwKjN4AGgcThQusHxzNXwvH071eSYoRX3C5Ppi737_6Cf5h7b6Vy2BVnyUu4gybEyhp_AmLwZuswPptzQdDy9sl20d7JWgEqawliQ4QKSd2tZApcGTbFkrFfjQkRXvYhS6NS5gh80-aBMmaS0zB4NELcRaY76yTyhnNY0zMHZoyGgxJVYcBqDNKq_digCAk3S_GQp0Gcg72SIJvY6tkjApvJuoZmSmzJbpefHmRTB7UaTopCOYz_J6m3wcZMN_XdDB1d_EatuAHmxiOGCpbJO-LhlyxnCjlp$$"2⤵
- Windows security bypass
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll,#12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c for /l %x in (1, 1, 2) do del /Q "C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll" & timeout /t 53⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2280-0-0x0000000075091000-0x0000000075177000-memory.dmpFilesize
920KB
-
memory/2280-2-0x0000000075090000-0x00000000751FF000-memory.dmpFilesize
1.4MB
-
memory/2280-1-0x0000000075090000-0x00000000751FF000-memory.dmpFilesize
1.4MB
-
memory/2280-7-0x0000000075091000-0x0000000075177000-memory.dmpFilesize
920KB
-
memory/2668-3-0x0000000075090000-0x00000000751FF000-memory.dmpFilesize
1.4MB
-
memory/2668-5-0x0000000075090000-0x00000000751FF000-memory.dmpFilesize
1.4MB
-
memory/2668-4-0x0000000075090000-0x00000000751FF000-memory.dmpFilesize
1.4MB
-
memory/2668-6-0x0000000075090000-0x00000000751FF000-memory.dmpFilesize
1.4MB