Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 08:40
Static task
static1
Behavioral task
behavioral1
Sample
4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe
-
Size
49KB
-
MD5
4d927d11d82abc18260f23310f7753da
-
SHA1
3f7c83d8b6112533e9e9007dcc3d942aad6fe0ab
-
SHA256
524b6ef6399dab851c6da36ac3d2569ea076b5403aac896a324d47c58acae148
-
SHA512
45fe87dd3c0b9ff62028cbf9db310326705ec77dc3f1b87646036c83118810df56cb9261d7a1ff8c300d6c937023d9f22f64eaa53c772a78515f40266ad6ea93
-
SSDEEP
768:RM6vXHIn3W6z2SXibYPIKLiQZXVHjVRyYLv+OJxy8XBb2ffxUTQKwyIVOrpJk:RMUonmaXi/EZX9yYLxvxksyYpJk
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 20 2352 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe 2352 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\mlJAronm.dll,#1" rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mlJAronm.dll 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe File created C:\Windows\SysWOW64\mlJAronm.dll 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\mlJAronm.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4800 wrote to memory of 612 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe 5 PID 4800 wrote to memory of 2352 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe 88 PID 4800 wrote to memory of 2352 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe 88 PID 4800 wrote to memory of 2352 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe 88 PID 4800 wrote to memory of 4324 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe 89 PID 4800 wrote to memory of 4324 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe 89 PID 4800 wrote to memory of 4324 4800 4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe 89
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Users\Admin\AppData\Local\Temp\4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\mlJAronm.dll,a2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cbXRIxYO.bat "C:\Users\Admin\AppData\Local\Temp\4d927d11d82abc18260f23310f7753da_JaffaCakes118.exe"2⤵PID:4324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95B
MD5769dc6951179a5282884e8584f3200df
SHA11fb2ba2351c96c1ed8f0227455d1075782722992
SHA256207a03c4afd519e3a24048828d62e09662368f22046b52008877259d5a0961ee
SHA5126d73728575e6a74910cfb1215ebaba92f453b1a0d3a52c2f7d997a8bf00ce6de5d1bd9bf6d8769b53b3ed9d60dfc19573edaacf3f96fb2763e1b9f4c7f2e2b04
-
Filesize
36KB
MD519e1e7bcdebf690b79c3195d66a1da8b
SHA1ac46e2f4186c1b3c34d69889c419c98b85ca1a9b
SHA256e1fe0e54cf7313f43ff34d5fbc9b8d8362672a7f64db48f5bd252cc6be94ba47
SHA512ecf08f2048c77b31f18610f73799e7a82714e6ae82220168d56b8b600105bd52fe1cb99ad1601909721a4af7c698c4e81a7ccc93ecb9761b2c6609508fc70c26