Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 17:24
Static task
static1
Behavioral task
behavioral1
Sample
3e38635439dacf0c0a21f398aefb9450_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3e38635439dacf0c0a21f398aefb9450_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
3e38635439dacf0c0a21f398aefb9450_JaffaCakes118.dll
-
Size
330KB
-
MD5
3e38635439dacf0c0a21f398aefb9450
-
SHA1
ea3745fb5e1f4b0386cc68e8b453ee37b82cf9df
-
SHA256
244064095888aaf45cfcf1ae7b9fbf5f732aae9238057aa1b1169d484138af9c
-
SHA512
4422d92bad822ebd289668e44bb90e44109c47424f1872eb7a2bdea79ff3a41c1a954e05c292609cbd193a29cd5432f7dfd3a33ca193d2b2db02610aeb709f33
-
SSDEEP
3072:WRq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2F5j8eFu:Yq1sFAwgwmBv3wnIgG4oAYxvU54eu
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 316 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Qdvbkelud\cieuqhzn.ezj rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 1152 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4476 wrote to memory of 1152 4476 rundll32.exe rundll32.exe PID 4476 wrote to memory of 1152 4476 rundll32.exe rundll32.exe PID 4476 wrote to memory of 1152 4476 rundll32.exe rundll32.exe PID 1152 wrote to memory of 316 1152 rundll32.exe rundll32.exe PID 1152 wrote to memory of 316 1152 rundll32.exe rundll32.exe PID 1152 wrote to memory of 316 1152 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e38635439dacf0c0a21f398aefb9450_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e38635439dacf0c0a21f398aefb9450_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qdvbkelud\cieuqhzn.ezj",xoNIosajDXLKjIy3⤵
- Loads dropped DLL
PID:316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD53e38635439dacf0c0a21f398aefb9450
SHA1ea3745fb5e1f4b0386cc68e8b453ee37b82cf9df
SHA256244064095888aaf45cfcf1ae7b9fbf5f732aae9238057aa1b1169d484138af9c
SHA5124422d92bad822ebd289668e44bb90e44109c47424f1872eb7a2bdea79ff3a41c1a954e05c292609cbd193a29cd5432f7dfd3a33ca193d2b2db02610aeb709f33