Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 06:19
Behavioral task
behavioral1
Sample
4084c06b7ab87de27ba98d5c7e8290ee_JaffaCakes118.dll
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4084c06b7ab87de27ba98d5c7e8290ee_JaffaCakes118.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
4084c06b7ab87de27ba98d5c7e8290ee_JaffaCakes118.dll
-
Size
118KB
-
MD5
4084c06b7ab87de27ba98d5c7e8290ee
-
SHA1
b1f8a56ae57d5bc58d405e4f81e19a67f41dcce8
-
SHA256
7631a63e7547c1f31660db63a07a7dd8c1ad34126658d2d129df1745114ef051
-
SHA512
a09f3dd3169c23f3dd274efb7325db02ab5e4c73a4799478776a9a9cb8e988acf0b71d2a8a5d4f74f15c9215b76ec8d1c0d07dd7b176efcf600c27566df738cd
-
SSDEEP
1536:v8DDS7LFiLjnavBSsOnOonMaPJtSNBeAt94nouy8Af206g:aIFYjnav4bnOAMaWeAt2outKG
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2292 rundll32.exe -
resource yara_rule behavioral2/memory/4080-0-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/files/0x000b0000000234ef-4.dat upx behavioral2/memory/2292-6-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/4080-7-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/2292-8-0x0000000010000000-0x000000001001F000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\msisue.dll rundll32.exe File opened for modification C:\Windows\msisue.dll rundll32.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 2292 rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "4084c06b7ab87de27ba98d5c7e8290ee_JaffaCakes118.dll,1314612079,-85730467,-1814625877" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1528 wrote to memory of 4080 1528 rundll32.exe 83 PID 1528 wrote to memory of 4080 1528 rundll32.exe 83 PID 1528 wrote to memory of 4080 1528 rundll32.exe 83 PID 4080 wrote to memory of 2292 4080 rundll32.exe 87 PID 4080 wrote to memory of 2292 4080 rundll32.exe 87 PID 4080 wrote to memory of 2292 4080 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4084c06b7ab87de27ba98d5c7e8290ee_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4084c06b7ab87de27ba98d5c7e8290ee_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\msisue.dll",_RunAs@163⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Access Token Manipulation: Create Process with Token
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118KB
MD54084c06b7ab87de27ba98d5c7e8290ee
SHA1b1f8a56ae57d5bc58d405e4f81e19a67f41dcce8
SHA2567631a63e7547c1f31660db63a07a7dd8c1ad34126658d2d129df1745114ef051
SHA512a09f3dd3169c23f3dd274efb7325db02ab5e4c73a4799478776a9a9cb8e988acf0b71d2a8a5d4f74f15c9215b76ec8d1c0d07dd7b176efcf600c27566df738cd