Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 21:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b622445424e90102ec45d6dcf2db956_JaffaCakes118.dll
Resource
win7-20240708-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
4b622445424e90102ec45d6dcf2db956_JaffaCakes118.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
4b622445424e90102ec45d6dcf2db956_JaffaCakes118.dll
-
Size
460KB
-
MD5
4b622445424e90102ec45d6dcf2db956
-
SHA1
67f0fd7a7c4db858b7cc5fb21c6a69a18bcd3cd1
-
SHA256
c24fbb57ccfcf281e39f53c68b8cd53beaaba26a6ceccf9ac7710cd804e233d3
-
SHA512
1b6e4acf80b9df8bb0e77dcaa03bfbf6860ed93d1d8423c04767ae3bc40156aab3a2065cd1630ad40b5610fd3ecc24f2f2411b3cefd9a677a914e7673fc83ef1
-
SSDEEP
6144:KgWc5DC/Wg4YCMcb46I6i9egZ/j+LNX+Cic5i212GguUJ0bAhEoLD68/qcT2:Nb0/b4YWLmegZyLNOQ0rL0shE+D6tcC
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b622445424e90102ec45d6dcf2db956_JaffaCakes118.dll = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\4b622445424e90102ec45d6dcf2db956_JaffaCakes118.dll\",watch" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2996 2956 rundll32.exe 31 PID 2956 wrote to memory of 2996 2956 rundll32.exe 31 PID 2956 wrote to memory of 2996 2956 rundll32.exe 31 PID 2956 wrote to memory of 2996 2956 rundll32.exe 31 PID 2956 wrote to memory of 2996 2956 rundll32.exe 31 PID 2956 wrote to memory of 2996 2956 rundll32.exe 31 PID 2956 wrote to memory of 2996 2956 rundll32.exe 31 PID 2996 wrote to memory of 3000 2996 rundll32.exe 32 PID 2996 wrote to memory of 3000 2996 rundll32.exe 32 PID 2996 wrote to memory of 3000 2996 rundll32.exe 32 PID 2996 wrote to memory of 3000 2996 rundll32.exe 32 PID 2996 wrote to memory of 3000 2996 rundll32.exe 32 PID 2996 wrote to memory of 3000 2996 rundll32.exe 32 PID 2996 wrote to memory of 3000 2996 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4b622445424e90102ec45d6dcf2db956_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4b622445424e90102ec45d6dcf2db956_JaffaCakes118.dll,#12⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\4b622445424e90102ec45d6dcf2db956_JaffaCakes118.dll",watch3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000
-
-