Analysis
-
max time kernel
119s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 08:10
Behavioral task
behavioral1
Sample
2b98d7f3226846be0f5ea74826cec3d8_JaffaCakes118.dll
Resource
win7-20240704-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
2b98d7f3226846be0f5ea74826cec3d8_JaffaCakes118.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2b98d7f3226846be0f5ea74826cec3d8_JaffaCakes118.dll
-
Size
39KB
-
MD5
2b98d7f3226846be0f5ea74826cec3d8
-
SHA1
51ad2ad3be03d68ffac563965617146640eec298
-
SHA256
49db1ccf6313a9a50dd1cde73dbd9a18a914e0fdcc7dc80b49675e115d1e30ba
-
SHA512
51b6d09c884dac3a00eda701c95df4e8c94e1bf95765323176015963ecaafa461465d2632a6db73810f7b0703d42d784325636a5fc3679888ef67382fc5d9774
-
SSDEEP
768:3i00+F7sA6HTN1hNV9vjVyfhPSWft7HJCNg9WanjQv50HZBpxZdeV:Sr+FxITjhNvvjGPSct7HJO4ZV
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/920-0-0x0000000010000000-0x000000001001D000-memory.dmp upx -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID dwm.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe -
Modifies data under HKEY_USERS 36 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 920 rundll32.exe 920 rundll32.exe 920 rundll32.exe 920 rundll32.exe 920 rundll32.exe 920 rundll32.exe 920 rundll32.exe 920 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeCreateGlobalPrivilege 4400 dwm.exe Token: SeChangeNotifyPrivilege 4400 dwm.exe Token: 33 4400 dwm.exe Token: SeIncBasePriorityPrivilege 4400 dwm.exe Token: SeCreateGlobalPrivilege 4956 dwm.exe Token: SeChangeNotifyPrivilege 4956 dwm.exe Token: 33 4956 dwm.exe Token: SeIncBasePriorityPrivilege 4956 dwm.exe Token: SeShutdownPrivilege 4956 dwm.exe Token: SeCreatePagefilePrivilege 4956 dwm.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4212 wrote to memory of 920 4212 rundll32.exe 82 PID 4212 wrote to memory of 920 4212 rundll32.exe 82 PID 4212 wrote to memory of 920 4212 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b98d7f3226846be0f5ea74826cec3d8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b98d7f3226846be0f5ea74826cec3d8_JaffaCakes118.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
PID:920
-
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4956