Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 08:03
Behavioral task
behavioral1
Sample
733741d586bd47f091bac0682534bd6c_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
733741d586bd47f091bac0682534bd6c_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
733741d586bd47f091bac0682534bd6c_JaffaCakes118.dll
-
Size
26KB
-
MD5
733741d586bd47f091bac0682534bd6c
-
SHA1
bdba82d02840654ad230cc3646ea9309d6b9f6d2
-
SHA256
0fbc1f00d10dbb305d5bf05826b580b9575ba4e001dd749bfdbb2f7db4fd701c
-
SHA512
c27925808bb84ea42889774654c479c7629ec10ee1ae4f75fa20fd38b10b3b22d0b31942c1daea756dc5cdcddcb07da94248f13d5e3a28159652548cf2eeebf2
-
SSDEEP
384:4nTow/H30QvvdeATfsX0hkPypugWgyE3AQ46OGLUOJ6IpoAVAcMoYz+iAXHUt:4nTl0QN3jsj6DAQm4vXWAVQtz+iAc
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
resource yara_rule behavioral1/memory/2396-0-0x0000000010000000-0x0000000010014000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\batmeter16.dll rundll32.exe File opened for modification C:\Windows\batmeter16.dll rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\CLSID\{6c71c2db-1a2f-44df-8425-feb17fcb8573}\InProcServer32\ThreadingModel = "Apartment" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\PROTOCOLS\Filter\text/html rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\PROTOCOLS\Filter\text/html\ = "Microsoft Default HTML MIME Filter" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\PROTOCOLS\Filter\text/html\CLSID = "{6c71c2db-1a2f-44df-8425-feb17fcb8573}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\CLSID rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\CLSID\{6c71c2db-1a2f-44df-8425-feb17fcb8573} rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\CLSID\{6c71c2db-1a2f-44df-8425-feb17fcb8573}\InProcServer32\ = "C:\\Windows\\batmeter16.dll" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\PROTOCOLS rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\PROTOCOLS\Filter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\CLSID\{6c71c2db-1a2f-44df-8425-feb17fcb8573}\InProcServer32 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2396 rundll32.exe 2396 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2396 2568 rundll32.exe 30 PID 2568 wrote to memory of 2396 2568 rundll32.exe 30 PID 2568 wrote to memory of 2396 2568 rundll32.exe 30 PID 2568 wrote to memory of 2396 2568 rundll32.exe 30 PID 2568 wrote to memory of 2396 2568 rundll32.exe 30 PID 2568 wrote to memory of 2396 2568 rundll32.exe 30 PID 2568 wrote to memory of 2396 2568 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\733741d586bd47f091bac0682534bd6c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\733741d586bd47f091bac0682534bd6c_JaffaCakes118.dll,#12⤵
- Maps connected drives based on registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5162b6962debc48b3998d607399609602
SHA1c5c8dc769ca5da4412b33ebd73c63fbda71f7f37
SHA256655c248a3d7fa6d21196a69f0de6f3673ecd03f01924432df0171148990781b9
SHA51215c3fe7f7f25bff1e858aa1967d61dd09c28f95d32d52a57285d7dfdd63d51ce27afbbfb9c959f78defeb37592bc8cec8a0976908dd0d788348e978563baca33