Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 09:19
Static task
static1
Behavioral task
behavioral1
Sample
62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll
Resource
win7-20240704-en
General
-
Target
62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll
-
Size
1.3MB
-
MD5
62aa951d7c043b9ab09eba4cf190a8a0
-
SHA1
98100b81d653034bdc269ca74609466d6bd7f1a4
-
SHA256
3ae9e6413dfeab7c352a6725d94781fef66da320691760173b8973b63607e00d
-
SHA512
417c2a6828e5122731c7300eedc55e3f73a0a5691a7f14d7fe20cf39aa2c887e0b21d8e6527fcf3dc296c08507f4389078bb0b76f04199501adcde474fcd2826
-
SSDEEP
12288:0DF3Jd1x080T/mlJpA/77Z8ZKdo/SMZoSr2SnPiXiydhwXGGGGXdhw7Q3:0DD2TmfpA/776KlMPZPiXJdcdMg
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
resource yara_rule behavioral1/memory/2384-14-0x0000000002240000-0x0000000002274000-memory.dmp family_blackmoon behavioral1/memory/2384-13-0x0000000002240000-0x0000000002274000-memory.dmp family_blackmoon behavioral1/memory/2384-15-0x0000000002240000-0x0000000002274000-memory.dmp family_blackmoon -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b0000000120f1-4.dat acprotect -
resource yara_rule behavioral1/files/0x0007000000018722-11.dat aspack_v212_v242 -
Loads dropped DLL 2 IoCs
pid Process 2384 rundll32.exe 2384 rundll32.exe -
resource yara_rule behavioral1/files/0x000b0000000120f1-4.dat upx behavioral1/memory/2384-6-0x0000000000C60000-0x0000000000C9D000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SkinH_EL.dll rundll32.exe File created C:\Windows\SysWOW64\Aero.she rundll32.exe File opened for modification C:\Windows\SysWOW64\aero.she rundll32.exe File created C:\Windows\SysWOW64\Êý¾Ý¿âÎļþ(Îðɾ).dll rundll32.exe File opened for modification C:\Windows\SysWOW64\Êý¾Ý¿âÎļþ(Îðɾ).dll rundll32.exe File created C:\Windows\SysWOW64\SkinH_EL.dll rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2384 rundll32.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2384 2368 rundll32.exe 30 PID 2368 wrote to memory of 2384 2368 rundll32.exe 30 PID 2368 wrote to memory of 2384 2368 rundll32.exe 30 PID 2368 wrote to memory of 2384 2368 rundll32.exe 30 PID 2368 wrote to memory of 2384 2368 rundll32.exe 30 PID 2368 wrote to memory of 2384 2368 rundll32.exe 30 PID 2368 wrote to memory of 2384 2368 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2384
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5147127382e001f495d1842ee7a9e7912
SHA192d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA51297f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d
-
Filesize
59KB
MD5c9df0cc26b1d586f2c58b27a22d6a154
SHA1160f81ac48751f939b4e286aab636abafb663898
SHA25652f0a16626ccbf8921ae43d322090d67609beca5595968e5f9b530c2776ea4ec
SHA5129ac797aea76f52f4d386b46e1b4f29f1ea0903e604c614205e37457e6195de2043a9e625f0ea5b1ca87a4004b7a89acaa0c4eabd1d742b26fcf544176af10a07