Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 10:14
Static task
static1
Behavioral task
behavioral1
Sample
a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe
-
Size
339KB
-
MD5
a5079d2183bdf000710a2f4edcfdf3f8
-
SHA1
30b0878b0285627b19213857764b15e0fc93ac62
-
SHA256
34b6799f07c656918d96639d13b299b26ee7b592629d217438eff8b4b277d1fb
-
SHA512
9f4adcafb379c4a9020f3e8fc00f532913f99e47429c512b3787bd4fbba67bbb3335ffd31a475c98e833d169681798f4d1594b01c22ee594e965a5b0ecb36872
-
SSDEEP
3072:XT0d08AmyS59HEjD7sgFX7VdlT+FwKd7Z6EOJRY/nddAAWJZSoB+TrV6dDz6uQBe:jW559ybrVnqoc1WJZSo48d6vBraCrs
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 5 2768 rundll32.exe 6 2768 rundll32.exe 7 2768 rundll32.exe 8 2768 rundll32.exe 9 2768 rundll32.exe 10 2768 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2768 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 376 a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe 2768 rundll32.exe -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 109.69.8.34 Destination IP 5.135.183.146 Destination IP 151.80.147.153 Destination IP 212.73.150.183 Destination IP 185.190.82.182 Destination IP 188.165.200.156 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 376 a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe 376 a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe 2768 rundll32.exe 2768 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2768 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2768 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2768 rundll32.exe 2768 rundll32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2748 2596 taskeng.exe 29 PID 2596 wrote to memory of 2748 2596 taskeng.exe 29 PID 2596 wrote to memory of 2748 2596 taskeng.exe 29 PID 2748 wrote to memory of 2768 2748 rundll32.exe 30 PID 2748 wrote to memory of 2768 2748 rundll32.exe 30 PID 2748 wrote to memory of 2768 2748 rundll32.exe 30 PID 2748 wrote to memory of 2768 2748 rundll32.exe 30 PID 2748 wrote to memory of 2768 2748 rundll32.exe 30 PID 2748 wrote to memory of 2768 2748 rundll32.exe 30 PID 2748 wrote to memory of 2768 2748 rundll32.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:376
-
C:\Windows\system32\taskeng.exetaskeng.exe {FB3610A5-217B-46D0-BEEE-057FF1FC40AD} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\ProgramData\ghbamjdm\bfjnednc.dhf",DllGetClassObject host2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\ProgramData\ghbamjdm\bfjnednc.dhf",DllGetClassObject host3⤵
- Blocklisted process makes network request
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55b76b3f86d0e1f3f397c9f5cf4e2ae3c
SHA18acac8e96af0c85efa46a117efa028002dc53403
SHA25684af7190bb4943e9acf8cc7acd64c54091c13195de7995f3ca1445054d4dbdec
SHA512344e4a8da4e222cb78e1d3dd67835c3d5473a2d93b3cfec32ee1304ffa47ba17eeb5939bc8fe36e9da9d5034daa8d7a167442759340c0a61bc9e5978533d9900
-
Filesize
212KB
MD59a359c7a57a9af742c9e0aa59c047cfb
SHA1017d90de87eab0b0c5b73e6eacbb5b637440d7f1
SHA256309a1ec1fa3fbd4ecdfb2301df0991e43137f4bb8a57fd4831ac343d7f780bd5
SHA51279b589508baa24b0078ef9ada55c887b97d02430d4c14533193150ba5e1335527c3b898063848d65c6038cb63e87ee2bd7d9678d75a35a5b3e79af78a7429acb
-
Filesize
212KB
MD50f09bcd355ac453606e8a2e953cd7c1e
SHA1942cf739cca27ed8fd28d4b2c153033ffaa48e77
SHA2568843a2a66395fa409c66beacc3d2b928e2195a12827450f2d6381bfdf51595d0
SHA512e187f068f8beb7b2d1a53222a290a02033a0806ae48479f8fc666e7578c6fd3e7e61cd3fb1748c61c42a2750e964731c4dc84e679da599122c63e8c7e9c550fc