Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 10:14
Static task
static1
Behavioral task
behavioral1
Sample
a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe
-
Size
339KB
-
MD5
a5079d2183bdf000710a2f4edcfdf3f8
-
SHA1
30b0878b0285627b19213857764b15e0fc93ac62
-
SHA256
34b6799f07c656918d96639d13b299b26ee7b592629d217438eff8b4b277d1fb
-
SHA512
9f4adcafb379c4a9020f3e8fc00f532913f99e47429c512b3787bd4fbba67bbb3335ffd31a475c98e833d169681798f4d1594b01c22ee594e965a5b0ecb36872
-
SSDEEP
3072:XT0d08AmyS59HEjD7sgFX7VdlT+FwKd7Z6EOJRY/nddAAWJZSoB+TrV6dDz6uQBe:jW559ybrVnqoc1WJZSo48d6vBraCrs
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 5 456 rundll32.exe 9 456 rundll32.exe 12 456 rundll32.exe 15 456 rundll32.exe 16 456 rundll32.exe 17 456 rundll32.exe -
Deletes itself 1 IoCs
pid Process 456 rundll32.exe -
Loads dropped DLL 4 IoCs
pid Process 868 a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe 868 a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe 456 rundll32.exe 456 rundll32.exe -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 188.165.200.156 Destination IP 109.69.8.34 Destination IP 151.80.147.153 Destination IP 5.135.183.146 Destination IP 185.190.82.182 Destination IP 212.73.150.183 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 868 a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe 868 a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe 868 a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe 868 a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe 456 rundll32.exe 456 rundll32.exe 456 rundll32.exe 456 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 456 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 456 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 456 rundll32.exe 456 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4192 wrote to memory of 456 4192 rundll32.exe 86 PID 4192 wrote to memory of 456 4192 rundll32.exe 86 PID 4192 wrote to memory of 456 4192 rundll32.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:868
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\ProgramData\bnbcifpe\gjglalel.kfj",DllGetClassObject host1⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\ProgramData\bnbcifpe\gjglalel.kfj",DllGetClassObject host2⤵
- Blocklisted process makes network request
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:456
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b53babc887877ce234cbe7f47ac11ebf
SHA1287ebfbc09d4e7b0d26c7b0d463ff3d3385279e5
SHA256c43f8c0a671c3d87d81cbba8edc57fa728bfd68897739de491d2fedacc202f9e
SHA512eb845fc70900050d6182a7b295a2022b89d07819bc797c97ebdfc4dfb52dd9e2dedd6b84be9b7e475a3e1254f29c99cac46ae1dad7833bd3d2c4fb4ac5f87103
-
Filesize
212KB
MD5df832baef4c9a62a43fa19bac03ea73f
SHA11585e964afcc4ce759339c6f9cc6f5e3908f3bdc
SHA256e011cf5a1c3fa9ce3f192ef87247a14465b419f02cbebf342af661de66a6a33e
SHA51274c593819860f1ab87a85a9a8b9efc6045179760ef781790583383413004ca069d8f6aa185275c0e4618dc44a24b1ab45624b5c3b601e233999bf8ea1e14e839
-
Filesize
212KB
MD50f09bcd355ac453606e8a2e953cd7c1e
SHA1942cf739cca27ed8fd28d4b2c153033ffaa48e77
SHA2568843a2a66395fa409c66beacc3d2b928e2195a12827450f2d6381bfdf51595d0
SHA512e187f068f8beb7b2d1a53222a290a02033a0806ae48479f8fc666e7578c6fd3e7e61cd3fb1748c61c42a2750e964731c4dc84e679da599122c63e8c7e9c550fc