Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 18:48
Behavioral task
behavioral1
Sample
23642f69a3c6e20aa101598ee9f6831a_JaffaCakes118.dll
Resource
win7-20240611-en
windows7-x64
4 signatures
150 seconds
General
-
Target
23642f69a3c6e20aa101598ee9f6831a_JaffaCakes118.dll
-
Size
80KB
-
MD5
23642f69a3c6e20aa101598ee9f6831a
-
SHA1
f95510b0a7ede76879bd3b397964fbeb87618aa8
-
SHA256
d7de145c213d9fcce8fa3d72619d368ae6ce816ce1ee2ba48d0d85f889315677
-
SHA512
10b5f9d114d67d25408d98cbf27dad66f84a67cc9c65ff3ffce81663ec401b2778ba5e0efabd67208bb8fd7d8fa9bfc76c8c0c3edfd84679ad51e30142678ed5
-
SSDEEP
768:UedoF/PjJaIm//39QqUHBNadria2edb9HmZELLsdbIWRWeFWxZ:U9Dm/P9xUH6drb2edb9G4iSxZ
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/memory/4168-0-0x0000000010000000-0x0000000010014000-memory.dmp family_blackmoon behavioral2/memory/4168-1-0x0000000010000000-0x0000000010014000-memory.dmp family_blackmoon -
Blocklisted process makes network request 42 IoCs
flow pid Process 5 4168 rundll32.exe 28 4168 rundll32.exe 29 4168 rundll32.exe 30 4168 rundll32.exe 31 4168 rundll32.exe 38 4168 rundll32.exe 40 4168 rundll32.exe 41 4168 rundll32.exe 42 4168 rundll32.exe 43 4168 rundll32.exe 52 4168 rundll32.exe 55 4168 rundll32.exe 58 4168 rundll32.exe 60 4168 rundll32.exe 61 4168 rundll32.exe 62 4168 rundll32.exe 63 4168 rundll32.exe 64 4168 rundll32.exe 65 4168 rundll32.exe 66 4168 rundll32.exe 67 4168 rundll32.exe 68 4168 rundll32.exe 74 4168 rundll32.exe 76 4168 rundll32.exe 77 4168 rundll32.exe 78 4168 rundll32.exe 79 4168 rundll32.exe 80 4168 rundll32.exe 81 4168 rundll32.exe 84 4168 rundll32.exe 97 4168 rundll32.exe 99 4168 rundll32.exe 100 4168 rundll32.exe 101 4168 rundll32.exe 102 4168 rundll32.exe 103 4168 rundll32.exe 104 4168 rundll32.exe 105 4168 rundll32.exe 106 4168 rundll32.exe 107 4168 rundll32.exe 108 4168 rundll32.exe 109 4168 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1840 wrote to memory of 4168 1840 rundll32.exe 85 PID 1840 wrote to memory of 4168 1840 rundll32.exe 85 PID 1840 wrote to memory of 4168 1840 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23642f69a3c6e20aa101598ee9f6831a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23642f69a3c6e20aa101598ee9f6831a_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
PID:4168
-