hancitor | 0bce56f1587478cdb44adc1a4b7fa9b58c027ac414fda97bc9c8b5d60098d825

Analysis

max time kernel
140s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-07-2024 22:01

Target

593f4c3d291e75903b8e30c63a696848_JaffaCakes118.dll
Size

648KB
MD5

593f4c3d291e75903b8e30c63a696848
SHA1

b10e99e3600701312295052df27febc44a587ef4
SHA256

0bce56f1587478cdb44adc1a4b7fa9b58c027ac414fda97bc9c8b5d60098d825
SHA512

31ba7f21c3df68c0f89f440e792ec3153529545c1065b069655d9e1c1ef97b74c7d2cca7c9c077915b8088a75e80d495d1eaf42ce2300b056d0c9852b756985b
SSDEEP

12288:ZXca4e6QwokAzbPzxPI6mFoaR5SAXhnsGs7GyoXery0AbKvuA:Zslem2z7zCXr+jo5Kvu

Score

10^/10

Family

hancitor

Botnet

1602_78210h

http://eviddinlahal.com/8/forum.php

http://saisepsdrablis.ru/8/forum.php

http://obvionsweyband.ru/8/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1800	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 1800	304	rundll32.exe	30
PID 304 wrote to memory of 1800	304	rundll32.exe	30
PID 304 wrote to memory of 1800	304	rundll32.exe	30
PID 304 wrote to memory of 1800	304	rundll32.exe	30
PID 304 wrote to memory of 1800	304	rundll32.exe	30
PID 304 wrote to memory of 1800	304	rundll32.exe	30
PID 304 wrote to memory of 1800	304	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\593f4c3d291e75903b8e30c63a696848_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:304
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\593f4c3d291e75903b8e30c63a696848_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:1800

memory/1800-0-0x0000000000250000-0x00000000002F6000-memory.dmp

Filesize
664KB

Download
memory/1800-1-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1800-2-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/1800-3-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/1800-4-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/1800-6-0x0000000000250000-0x00000000002F6000-memory.dmp

Filesize
664KB

Download
memory/1800-8-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1800-9-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download