Analysis
-
max time kernel
132s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 21:20
Static task
static1
Behavioral task
behavioral1
Sample
3eeca4c4738ed90f1c586e8455c8bc69_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3eeca4c4738ed90f1c586e8455c8bc69_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
3eeca4c4738ed90f1c586e8455c8bc69_JaffaCakes118.dll
-
Size
330KB
-
MD5
3eeca4c4738ed90f1c586e8455c8bc69
-
SHA1
8b68f78cdec8bc1aee6f6dbb52060a2a77773636
-
SHA256
576d36164021d51e7f94f20227a78ef1ae1197f9a8efe6f1eb25e2ad1c244843
-
SHA512
211e5d81e185d8f40e861976d4ce5a73c16e0adb993e41dacf2aeb09bed2e932ca4a29dd1f9a4c40e8ad23befe0245f1bb7097806c6f19c9f9a1ab39d40de7fb
-
SSDEEP
3072:FRq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2F5j81qc:fq1sFAwgwmBv3wnIgG4oAYxvU54gc
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4336 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Jdhuguwcd\kpaeejws.ytb rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 4936 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 556 wrote to memory of 4936 556 rundll32.exe rundll32.exe PID 556 wrote to memory of 4936 556 rundll32.exe rundll32.exe PID 556 wrote to memory of 4936 556 rundll32.exe rundll32.exe PID 4936 wrote to memory of 4336 4936 rundll32.exe rundll32.exe PID 4936 wrote to memory of 4336 4936 rundll32.exe rundll32.exe PID 4936 wrote to memory of 4336 4936 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3eeca4c4738ed90f1c586e8455c8bc69_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3eeca4c4738ed90f1c586e8455c8bc69_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jdhuguwcd\kpaeejws.ytb",KJSypKTLKb3⤵
- Loads dropped DLL
PID:4336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD53eeca4c4738ed90f1c586e8455c8bc69
SHA18b68f78cdec8bc1aee6f6dbb52060a2a77773636
SHA256576d36164021d51e7f94f20227a78ef1ae1197f9a8efe6f1eb25e2ad1c244843
SHA512211e5d81e185d8f40e861976d4ce5a73c16e0adb993e41dacf2aeb09bed2e932ca4a29dd1f9a4c40e8ad23befe0245f1bb7097806c6f19c9f9a1ab39d40de7fb