Analysis
-
max time kernel
148s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
4b371249c56cb10050a2759e82db6ace_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
4b371249c56cb10050a2759e82db6ace_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
4b371249c56cb10050a2759e82db6ace_JaffaCakes118.dll
-
Size
476KB
-
MD5
4b371249c56cb10050a2759e82db6ace
-
SHA1
8a60871e3ed0acdfdc90ec64481c92a68fea483a
-
SHA256
426f713ff23d28bd8aa7bc2b3580841cff729fe40488782632412a23d95a2698
-
SHA512
887e1b92ecbfcfde676bea1873241d20dff7ac198be7526937d9a4bbee6f4684dfde1ec6ab6250211463eb2a8aa5f15a566d00afce65470413c796b01d13a52b
-
SSDEEP
12288:RSJOZpq/K5w60ECocqmvyTVB4sSvEzfoVHKq2VS4PqL:RSsZKM7Cnr6TsBczy4s
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\18123-19-77 rundll32.exe File created C:\Windows\SysWOW64\649 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2256 wrote to memory of 580 2256 rundll32.exe 29 PID 2256 wrote to memory of 580 2256 rundll32.exe 29 PID 2256 wrote to memory of 580 2256 rundll32.exe 29 PID 2256 wrote to memory of 580 2256 rundll32.exe 29 PID 2256 wrote to memory of 580 2256 rundll32.exe 29 PID 2256 wrote to memory of 580 2256 rundll32.exe 29 PID 2256 wrote to memory of 580 2256 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4b371249c56cb10050a2759e82db6ace_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4b371249c56cb10050a2759e82db6ace_JaffaCakes118.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:580
-