Resubmissions
28-05-2024 20:22
240528-y5vrgaag9x 728-05-2024 20:21
240528-y5eegsag7y 728-05-2024 20:15
240528-y13arabg59 10Analysis
-
max time kernel
11s -
max time network
11s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 20:21
Static task
static1
Behavioral task
behavioral1
Sample
7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll
Resource
win7-20240221-en
Errors
General
-
Target
7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7e42b85a3c28e4d3fd1928efbb1b1716
-
SHA1
5b9550a8987cf92b4cef087122199c716b39a7d5
-
SHA256
824eb4ff3cf95ff179fff5e2f0f1cf01db9a4c70e0106177f40492310aa8d1f5
-
SHA512
2dbbb1b1d48a9c3133a9a97394820ddf5a96a0dc7b75de6d70cc19e544a5add1b295c7b4eaae13fbe9dba848ef4b977c37d3a93e92084866fdbbe7bc5d000912
-
SSDEEP
98304:+DqPoBhzLk36SAEdhvxWa9P593R8yAVp2H:+DqPeLk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mssecsvc.exepid process 1260 mssecsvc.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2760 wrote to memory of 1260 2760 rundll32.exe mssecsvc.exe PID 2760 wrote to memory of 1260 2760 rundll32.exe mssecsvc.exe PID 2760 wrote to memory of 1260 2760 rundll32.exe mssecsvc.exe PID 2760 wrote to memory of 1260 2760 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
PID:1260
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2556
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2044
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5b8fb46d2a1f577db36856c3277f76976
SHA188cccd52b450ce1e4abdd01674aa9c075c80d561
SHA25625010e5504c35ed06b313a98f1726352fec33d7c4e6908214867b28e149edb09
SHA51236e958c71ae9f42227f7f30268e87dccb7f3533e4871bc08899b5310effe0d12db4277940e090e60f0818405a2cde879d32920125b51b7edbbf949f48f84799c
-
memory/2556-6-0x0000000002E10000-0x0000000002E11000-memory.dmpFilesize
4KB