Analysis Overview
SHA256
4cdd228a963fe2c2755392554ef508077d6f8040307d41d12512cae4c589c07d
Threat Level: Shows suspicious behavior
The file 10f7cd5bb0b0adb4ae7491ba0f04c34e_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Access Token Manipulation: Create Process with Token
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 06:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 06:04
Reported
2024-06-26 06:07
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\msvcr.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\msvcr.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "10f7cd5bb0b0adb4ae7491ba0f04c34e_JaffaCakes118.dll,1286228219,-1569870136,-1814625877" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1412 wrote to memory of 1472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 1472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 1472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1472 wrote to memory of 1216 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1472 wrote to memory of 1216 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1472 wrote to memory of 1216 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10f7cd5bb0b0adb4ae7491ba0f04c34e_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10f7cd5bb0b0adb4ae7491ba0f04c34e_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Windows\msvcr.dll",_RunAs@0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/1472-0-0x0000000010000000-0x000000001004E000-memory.dmp
C:\Windows\msvcr.dll
| MD5 | 10f7cd5bb0b0adb4ae7491ba0f04c34e |
| SHA1 | a626d7e7a3bba6c70622f72a86bd8f7530c73619 |
| SHA256 | 4cdd228a963fe2c2755392554ef508077d6f8040307d41d12512cae4c589c07d |
| SHA512 | a059713131bdfab280c7d31810a22dd58d677cb7a74b969739275332815d659a7367f398641e135e77adbce800cff43d7c9078757bcc0769d7247826152dc9b3 |
memory/1216-5-0x0000000010000000-0x000000001004E000-memory.dmp
memory/1472-6-0x0000000010000000-0x000000001004E000-memory.dmp
memory/1216-7-0x0000000010000000-0x000000001004E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 06:04
Reported
2024-06-26 06:07
Platform
win7-20231129-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\msvcr.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\msvcr.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "10f7cd5bb0b0adb4ae7491ba0f04c34e_JaffaCakes118.dll,1286228219,-1569870136,-1814625877" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10f7cd5bb0b0adb4ae7491ba0f04c34e_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10f7cd5bb0b0adb4ae7491ba0f04c34e_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Windows\msvcr.dll",_RunAs@0
Network
Files
memory/760-0-0x0000000010000000-0x000000001004E000-memory.dmp
memory/760-3-0x0000000010000000-0x000000001004E000-memory.dmp
memory/760-4-0x0000000010000000-0x000000001004E000-memory.dmp
C:\Windows\msvcr.dll
| MD5 | 10f7cd5bb0b0adb4ae7491ba0f04c34e |
| SHA1 | a626d7e7a3bba6c70622f72a86bd8f7530c73619 |
| SHA256 | 4cdd228a963fe2c2755392554ef508077d6f8040307d41d12512cae4c589c07d |
| SHA512 | a059713131bdfab280c7d31810a22dd58d677cb7a74b969739275332815d659a7367f398641e135e77adbce800cff43d7c9078757bcc0769d7247826152dc9b3 |
memory/760-5-0x000000001001C000-0x000000001001D000-memory.dmp
memory/1064-7-0x0000000010000000-0x000000001004E000-memory.dmp
memory/760-8-0x0000000010000000-0x000000001004E000-memory.dmp
memory/1064-9-0x0000000010000000-0x000000001004E000-memory.dmp
memory/1064-10-0x0000000010000000-0x000000001004E000-memory.dmp