Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 08:57
Static task
static1
Behavioral task
behavioral1
Sample
387a4f2ae6425aad90d8edf2266e9d3d_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
387a4f2ae6425aad90d8edf2266e9d3d_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
387a4f2ae6425aad90d8edf2266e9d3d_JaffaCakes118.dll
-
Size
1.1MB
-
MD5
387a4f2ae6425aad90d8edf2266e9d3d
-
SHA1
ed97413fc292a8f16567f4d9b1b296063cc9ce30
-
SHA256
d1460a23df05dfb9ae0234fae0e01dfd8a7c39575f9bc8c539260a853345c393
-
SHA512
705c8f068d9ba5cb185d749ea44e1eb0dddf773f92a5eec1fea6f1b2c4b14d9690d80fc28c8f90ef41373e8d534c9a030a25557f71919b5225b1d07dd88923e1
-
SSDEEP
24576:SMpZ4OxwR1QcQq/W7ihb4bPWmBLXvPmVpTrdzjs00a:SuNZ7Ib8ZBL2/XF
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dticem\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\387a4f2ae6425aad90d8edf2266e9d3d_JaffaCakes118.dll" regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\2e58aa1fef.dll svchost.exe File opened for modification C:\Windows\SysWOW64\2e58aa1fef.dll svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2404 2380 regsvr32.exe 29 PID 2380 wrote to memory of 2404 2380 regsvr32.exe 29 PID 2380 wrote to memory of 2404 2380 regsvr32.exe 29 PID 2380 wrote to memory of 2404 2380 regsvr32.exe 29 PID 2380 wrote to memory of 2404 2380 regsvr32.exe 29 PID 2380 wrote to memory of 2404 2380 regsvr32.exe 29 PID 2380 wrote to memory of 2404 2380 regsvr32.exe 29
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\387a4f2ae6425aad90d8edf2266e9d3d_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\387a4f2ae6425aad90d8edf2266e9d3d_JaffaCakes118.dll2⤵
- Server Software Component: Terminal Services DLL
PID:2404
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k dtcGep1⤵
- Drops file in System32 directory
PID:2248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123B
MD51062a6cde7692e966be16ab4cd46bbff
SHA132400cac428c4d363741b39c43505badc6757095
SHA25615686cc338d481984bd724f604fccfbf4ddc1b771b1bbeb7eebd9f7b23143b84
SHA512ddc6421e5cc190c6b8bf1a6370a36191a0f96a7b64ecc57608f851a1c9eaa1189865a7e0e6df17b62e83d24146b68f86ad116d7cecf08e8e6b007fd288d232a9
-
Filesize
114B
MD5695130c10222b830d8f940394eaee2a8
SHA10de141352afb97c3a88199f0dce5bc7d4df8090e
SHA256d026e6812972267446e5895a1b7be5fe051a76a1c7366ae008c1509fc98cf6b3
SHA5124bfe376f74c9e77a8c4ffecac121aca01dab7011b46576602f68c1039a6cf633a3bc11b31f5be984884f48e1fb51ce88bceb54633512cc5a50617c54f52551e5