Analysis Overview
SHA256
5ca60a7e7185f9486344043eb42603253b7aeae94b035018ed58321007af0acf
Threat Level: Shows suspicious behavior
The file 11bd234b6567713f293a19ca11db13fa_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Access Token Manipulation: Create Process with Token
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 10:49
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 10:49
Reported
2024-06-26 10:51
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
51s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\msisse.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\msisse.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "11bd234b6567713f293a19ca11db13fa_JaffaCakes118.dll,1314028207,-89619386,-1814625877" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 760 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 760 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 760 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2556 wrote to memory of 4808 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2556 wrote to memory of 4808 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2556 wrote to memory of 4808 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11bd234b6567713f293a19ca11db13fa_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11bd234b6567713f293a19ca11db13fa_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Windows\msisse.dll",_RunAs@16
Network
Files
memory/2556-0-0x0000000010000000-0x0000000010021000-memory.dmp
C:\Windows\msisse.dll
| MD5 | 11bd234b6567713f293a19ca11db13fa |
| SHA1 | a121984bebbc0055b63ac03786073d7a269407a3 |
| SHA256 | 5ca60a7e7185f9486344043eb42603253b7aeae94b035018ed58321007af0acf |
| SHA512 | 9af0cfda628c73a4bdbd94b1f1c39fcc90a274201708b4ceadb496f5f3519c3b6fdc50aff9425baa44ac8f59e44d8f0f689d97e608bb6a8406abb315f2b2da92 |
memory/4808-6-0x0000000010000000-0x0000000010021000-memory.dmp
memory/2556-7-0x0000000010000000-0x0000000010021000-memory.dmp
memory/4808-8-0x0000000010000000-0x0000000010021000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 10:49
Reported
2024-06-26 10:51
Platform
win7-20240508-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\msisse.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\msisse.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "11bd234b6567713f293a19ca11db13fa_JaffaCakes118.dll,1314028207,-89619386,-1814625877" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11bd234b6567713f293a19ca11db13fa_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11bd234b6567713f293a19ca11db13fa_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Windows\msisse.dll",_RunAs@16
Network
Files
memory/1896-0-0x0000000010000000-0x0000000010021000-memory.dmp
memory/1896-1-0x0000000010000000-0x0000000010021000-memory.dmp
C:\Windows\msisse.dll
| MD5 | 11bd234b6567713f293a19ca11db13fa |
| SHA1 | a121984bebbc0055b63ac03786073d7a269407a3 |
| SHA256 | 5ca60a7e7185f9486344043eb42603253b7aeae94b035018ed58321007af0acf |
| SHA512 | 9af0cfda628c73a4bdbd94b1f1c39fcc90a274201708b4ceadb496f5f3519c3b6fdc50aff9425baa44ac8f59e44d8f0f689d97e608bb6a8406abb315f2b2da92 |
memory/2548-6-0x0000000010000000-0x0000000010021000-memory.dmp
memory/1896-7-0x0000000010000000-0x0000000010021000-memory.dmp
memory/2548-8-0x0000000010000000-0x0000000010021000-memory.dmp
memory/2548-12-0x0000000010000000-0x0000000010021000-memory.dmp