Analysis
-
max time kernel
141s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 08:37
Static task
static1
Behavioral task
behavioral1
Sample
5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe
-
Size
70KB
-
MD5
5fc85e4419d8733b43b5ae25afb88fbd
-
SHA1
650b8906819e7b96b82a1788b58c5993c6b71c4a
-
SHA256
6c7c6101a3de28e0abbb30de69473479e28d518d67d122df5c0b64f1325cb637
-
SHA512
689b3195c7e79cdca6962911b9de3fe60d3e27ad19ba42e852e261d8b0e28e19aef2eb58b5f707ef21a23a1031adbd721f6b271642d0b518ae9710d46d6bc32d
-
SSDEEP
1536:ACGeHGDJz+grk1IfNvh1NWgywTFZKKydVYHg9S:AjR+o4gFhZKwg
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1440 rundll32.exe 4420 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gxemikik = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\nathpk.dll\",Startup" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3340 wrote to memory of 1440 3340 5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe 84 PID 3340 wrote to memory of 1440 3340 5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe 84 PID 3340 wrote to memory of 1440 3340 5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe 84 PID 1440 wrote to memory of 4420 1440 rundll32.exe 96 PID 1440 wrote to memory of 4420 1440 rundll32.exe 96 PID 1440 wrote to memory of 4420 1440 rundll32.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\nathpk.dll",Startup2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\nathpk.dll",iep3⤵
- Loads dropped DLL
PID:4420
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5f5224980dd9e1b73abe55009ba2a2ea3
SHA18d4bb7f08704bfdd7770b9f9701d868e6962194e
SHA256b0a4af04681bdbb45ae4b085be4d4e0c46bbfb2b354012308fd014983df651de
SHA512c6c6e4237caa87707296aca90de17ee9add3bc96ad7018774d96c6444658900ef76313bca653cf5083505c8f221ab607940897168594ae4dea4884318edd88f6