Analysis
-
max time kernel
149s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 10:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6028d40abb4d88daef7aea1a5f0abc31_JaffaCakes118.dll
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6028d40abb4d88daef7aea1a5f0abc31_JaffaCakes118.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
6028d40abb4d88daef7aea1a5f0abc31_JaffaCakes118.dll
-
Size
352KB
-
MD5
6028d40abb4d88daef7aea1a5f0abc31
-
SHA1
45e8aaf58f285cefb18c58e51539e1201a8d0fa7
-
SHA256
af784122e09b3e62f729164105a64e96d5bc687eaeaad06b17597d085d3cfe70
-
SHA512
085544e42552e770e822960f0db2d6da517fe8030d48b1becc2c70be4099349b50b52c4b5694f846466e274ee6047d967603b804ae2dcde0857817a6ae18ed5c
-
SSDEEP
1536:WmwKcsNXICwlfYY4gzJOMwDIl5kFilMA4fjOkTTdqruZlVBxgCFjn5O:V9KCYX0MwDIpshTQu3nzxns
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lua.wkl rundll32.exe File opened for modification C:\Windows\SysWOW64\lua.wkl rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\msocx.dll rundll32.exe File opened for modification C:\Windows\msocx.dll rundll32.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 1328 rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "6028d40abb4d88daef7aea1a5f0abc31_JaffaCakes118.dll,1294484522,-2036409223,-352895392" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2876 wrote to memory of 1324 2876 rundll32.exe 29 PID 2876 wrote to memory of 1324 2876 rundll32.exe 29 PID 2876 wrote to memory of 1324 2876 rundll32.exe 29 PID 2876 wrote to memory of 1324 2876 rundll32.exe 29 PID 2876 wrote to memory of 1324 2876 rundll32.exe 29 PID 2876 wrote to memory of 1324 2876 rundll32.exe 29 PID 2876 wrote to memory of 1324 2876 rundll32.exe 29 PID 1324 wrote to memory of 1328 1324 rundll32.exe 30 PID 1324 wrote to memory of 1328 1324 rundll32.exe 30 PID 1324 wrote to memory of 1328 1324 rundll32.exe 30 PID 1324 wrote to memory of 1328 1324 rundll32.exe 30 PID 1324 wrote to memory of 1328 1324 rundll32.exe 30 PID 1324 wrote to memory of 1328 1324 rundll32.exe 30 PID 1324 wrote to memory of 1328 1324 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6028d40abb4d88daef7aea1a5f0abc31_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6028d40abb4d88daef7aea1a5f0abc31_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\msocx.dll",_RunAs@163⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Access Token Manipulation: Create Process with Token
- Suspicious behavior: EnumeratesProcesses
PID:1328
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD56028d40abb4d88daef7aea1a5f0abc31
SHA145e8aaf58f285cefb18c58e51539e1201a8d0fa7
SHA256af784122e09b3e62f729164105a64e96d5bc687eaeaad06b17597d085d3cfe70
SHA512085544e42552e770e822960f0db2d6da517fe8030d48b1becc2c70be4099349b50b52c4b5694f846466e274ee6047d967603b804ae2dcde0857817a6ae18ed5c