Analysis Overview
SHA256
c7ded3197a6eafcba878a7c226d218614e3512e400464b1cb20d3d7c04d7deb4
Threat Level: Shows suspicious behavior
The file 11a3b03cef9769a4e474f12f5008818f_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Access Token Manipulation: Create Process with Token
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 10:14
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 10:14
Reported
2024-06-26 10:16
Platform
win7-20240611-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\lua.wkl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\lua.wkl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\msremotx.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\msremotx.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "11a3b03cef9769a4e474f12f5008818f_JaffaCakes118.dll,1309250235,-496657352,-352895392" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11a3b03cef9769a4e474f12f5008818f_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11a3b03cef9769a4e474f12f5008818f_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Windows\msremotx.dll",_RunAs@16
Network
Files
memory/2392-1-0x0000000010000000-0x0000000010022000-memory.dmp
memory/2392-2-0x0000000010000000-0x0000000010022000-memory.dmp
memory/2392-0-0x0000000010000000-0x0000000010022000-memory.dmp
C:\Windows\msremotx.dll
| MD5 | 11a3b03cef9769a4e474f12f5008818f |
| SHA1 | d44c43ff53be2f338f00ae02e8cfcde58ee2e774 |
| SHA256 | c7ded3197a6eafcba878a7c226d218614e3512e400464b1cb20d3d7c04d7deb4 |
| SHA512 | 58d3b49c77d4099f84584d7e140e5673a713deb0ef4e225cda52bb6342036a1afae883d3d8e7b5bb529ed31ac21b2e9bc669aa0ae7f1e3ba464cd6c009ec5af5 |
memory/2056-7-0x0000000010000000-0x0000000010022000-memory.dmp
memory/2056-9-0x0000000010000000-0x0000000010022000-memory.dmp
memory/2056-8-0x0000000010000000-0x0000000010022000-memory.dmp
memory/2392-10-0x0000000010000000-0x0000000010022000-memory.dmp
memory/2056-11-0x0000000010000000-0x0000000010022000-memory.dmp
memory/2056-23-0x0000000010000000-0x0000000010022000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 10:14
Reported
2024-06-26 10:16
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\msremotx.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\lua.wkl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\lua.wkl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\msremotx.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "11a3b03cef9769a4e474f12f5008818f_JaffaCakes118.dll,1309250235,-496657352,-352895392" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 216 wrote to memory of 5044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 216 wrote to memory of 5044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 216 wrote to memory of 5044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5044 wrote to memory of 4980 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5044 wrote to memory of 4980 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5044 wrote to memory of 4980 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11a3b03cef9769a4e474f12f5008818f_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11a3b03cef9769a4e474f12f5008818f_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Windows\msremotx.dll",_RunAs@16
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/5044-0-0x0000000010000000-0x0000000010022000-memory.dmp
C:\Windows\msremotx.dll
| MD5 | 11a3b03cef9769a4e474f12f5008818f |
| SHA1 | d44c43ff53be2f338f00ae02e8cfcde58ee2e774 |
| SHA256 | c7ded3197a6eafcba878a7c226d218614e3512e400464b1cb20d3d7c04d7deb4 |
| SHA512 | 58d3b49c77d4099f84584d7e140e5673a713deb0ef4e225cda52bb6342036a1afae883d3d8e7b5bb529ed31ac21b2e9bc669aa0ae7f1e3ba464cd6c009ec5af5 |
memory/4980-6-0x0000000010000000-0x0000000010022000-memory.dmp
memory/5044-7-0x0000000010000000-0x0000000010022000-memory.dmp
memory/4980-8-0x0000000010000000-0x0000000010022000-memory.dmp