Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 10:17
Static task
static1
Behavioral task
behavioral1
Sample
6a9dd151ff3abb0161f872ba4e312b75_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6a9dd151ff3abb0161f872ba4e312b75_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
6a9dd151ff3abb0161f872ba4e312b75_JaffaCakes118.dll
-
Size
823KB
-
MD5
6a9dd151ff3abb0161f872ba4e312b75
-
SHA1
04dc8a217a21343cdaea06b024e223e109224626
-
SHA256
66632682023734b61b2d8e9c39b0e96855ffb581abe48165b265947d6bc8c850
-
SHA512
99016a4891a8fe2412b4fbdb85c933228400bef3cb65e15e268139e7e19c672b79c05caaddd0322a6111ee2c3c4473b72fcc9cd2e171e154de6bfc5b790c348b
-
SSDEEP
12288:sxwWFSX6sU1U8C2LjUoGHxYpmi0w9T6cIuA2FKejx9gNI6MwWjrDMfFk5hSLSbqd:sf06sU1UiLwDCsi0w9euAq4Mpm+SLSo
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IMiKZH8GTH\ImagePath = "\\??\\C:\\Windows\\IMiKZH8GTHX.sys" rundll32.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DAympFmvH.dll acprotect -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2208 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DAympFmvH.dll upx behavioral2/memory/2208-16-0x00000000743F0000-0x0000000074478000-memory.dmp upx behavioral2/memory/2208-25-0x00000000743F0000-0x0000000074478000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\IMiKZH8GTHX.sys rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2208 rundll32.exe 2208 rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
rundll32.exepid process 2208 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2208 rundll32.exe Token: SeLoadDriverPrivilege 2208 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1904 wrote to memory of 2208 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 2208 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 2208 1904 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a9dd151ff3abb0161f872ba4e312b75_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a9dd151ff3abb0161f872ba4e312b75_JaffaCakes118.dll,#12⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵PID:4952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\CDCLOG.txtFilesize
261B
MD57cd04bd1f735f14b48ff4bb1874cb90c
SHA14cf56bfdcbf24010605d03ce446eb947c61ffc52
SHA256ca56ea6ee411172dd2e0410747a631c75c8bf62b6d4bcfe394c67222b5cfa264
SHA51292bd3cd656048a77f4272d4119be1a7834234e67660ffac9f729a906c9799de1e1547fa2aa81f3b535263aeea24670d5df5e58f1f61f4770c08d1415c8a5da16
-
C:\Users\Admin\AppData\Local\Temp\DAympFmvH.dllFilesize
476KB
MD50aba9baa3e94bb298b10f737cafa6fe0
SHA12b63f527721a2e9bd3ad0ccc8761780a070181a3
SHA256dd00067455484f9aab258111d155ec5618c2780d3d48f64f83c012e80afb5f53
SHA512e266717084bd674014a700b6f9348ca6eee06e97d3b15a012bcac173e9a7876cdf4dde78b602d639d538282e3906aedba39473ced8577655b474b378c812f72f
-
memory/2208-0-0x0000000001F50000-0x00000000020CE000-memory.dmpFilesize
1.5MB
-
memory/2208-1-0x0000000002150000-0x0000000002153000-memory.dmpFilesize
12KB
-
memory/2208-16-0x00000000743F0000-0x0000000074478000-memory.dmpFilesize
544KB
-
memory/2208-24-0x0000000001F50000-0x00000000020CE000-memory.dmpFilesize
1.5MB
-
memory/2208-25-0x00000000743F0000-0x0000000074478000-memory.dmpFilesize
544KB
-
memory/2208-28-0x0000000002150000-0x0000000002153000-memory.dmpFilesize
12KB
-
memory/2208-41-0x0000000001F50000-0x00000000020CE000-memory.dmpFilesize
1.5MB