Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 08:21
Static task
static1
Behavioral task
behavioral1
Sample
9119343541f019abda58b8cd8924211b_JaffaCakes118.dll
Resource
win7-20240215-en
General
-
Target
9119343541f019abda58b8cd8924211b_JaffaCakes118.dll
-
Size
1.9MB
-
MD5
9119343541f019abda58b8cd8924211b
-
SHA1
10d1721b9f19f78c242b08e285735f65b3f95b92
-
SHA256
e79e6a963a8a24b8b0583d705743877b389ef6a460fec86c4ad5edb99df1be85
-
SHA512
d31a627396fc2df83525d269cd48c6eb4adbd59bafe01619927c8a2c1b3c5dda803b9cb4f0141365a70e3c2fb02057487750fd10b31ccd8a438ebbeb9a4453f7
-
SSDEEP
49152:r5BWhpdeXXyaYCfR8Vce56VegLU5MIXqocCYK:dBWhveHP3fSBYVfU5MIXttYK
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine rundll32.exe -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 3056 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2516 3056 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 3056 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2192 wrote to memory of 3056 2192 rundll32.exe rundll32.exe PID 2192 wrote to memory of 3056 2192 rundll32.exe rundll32.exe PID 2192 wrote to memory of 3056 2192 rundll32.exe rundll32.exe PID 2192 wrote to memory of 3056 2192 rundll32.exe rundll32.exe PID 2192 wrote to memory of 3056 2192 rundll32.exe rundll32.exe PID 2192 wrote to memory of 3056 2192 rundll32.exe rundll32.exe PID 2192 wrote to memory of 3056 2192 rundll32.exe rundll32.exe PID 3056 wrote to memory of 2516 3056 rundll32.exe WerFault.exe PID 3056 wrote to memory of 2516 3056 rundll32.exe WerFault.exe PID 3056 wrote to memory of 2516 3056 rundll32.exe WerFault.exe PID 3056 wrote to memory of 2516 3056 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9119343541f019abda58b8cd8924211b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9119343541f019abda58b8cd8924211b_JaffaCakes118.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 3003⤵
- Program crash
PID:2516
-
-