Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 08:03

General

  • Target

    733741d586bd47f091bac0682534bd6c_JaffaCakes118.dll

  • Size

    26KB

  • MD5

    733741d586bd47f091bac0682534bd6c

  • SHA1

    bdba82d02840654ad230cc3646ea9309d6b9f6d2

  • SHA256

    0fbc1f00d10dbb305d5bf05826b580b9575ba4e001dd749bfdbb2f7db4fd701c

  • SHA512

    c27925808bb84ea42889774654c479c7629ec10ee1ae4f75fa20fd38b10b3b22d0b31942c1daea756dc5cdcddcb07da94248f13d5e3a28159652548cf2eeebf2

  • SSDEEP

    384:4nTow/H30QvvdeATfsX0hkPypugWgyE3AQ46OGLUOJ6IpoAVAcMoYz+iAXHUt:4nTl0QN3jsj6DAQm4vXWAVQtz+iAc

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\733741d586bd47f091bac0682534bd6c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\733741d586bd47f091bac0682534bd6c_JaffaCakes118.dll,#1
      2⤵
      • Maps connected drives based on registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:2396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\C16D.tmp

    Filesize

    20KB

    MD5

    162b6962debc48b3998d607399609602

    SHA1

    c5c8dc769ca5da4412b33ebd73c63fbda71f7f37

    SHA256

    655c248a3d7fa6d21196a69f0de6f3673ecd03f01924432df0171148990781b9

    SHA512

    15c3fe7f7f25bff1e858aa1967d61dd09c28f95d32d52a57285d7dfdd63d51ce27afbbfb9c959f78defeb37592bc8cec8a0976908dd0d788348e978563baca33

  • memory/2396-0-0x0000000010000000-0x0000000010014000-memory.dmp

    Filesize

    80KB