Analysis
-
max time kernel
14s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29-07-2024 12:32
Static task
static1
Behavioral task
behavioral1
Sample
46e6c3cbf8a7090d1639da8a01c510c0_JaffaCakes118.dll
Resource
win7-20240704-en
General
-
Target
46e6c3cbf8a7090d1639da8a01c510c0_JaffaCakes118.dll
-
Size
95KB
-
MD5
46e6c3cbf8a7090d1639da8a01c510c0
-
SHA1
1fbb273e529635bb4fa20ddb5aef1f280052ec04
-
SHA256
7e881e90e1238e7088dc3e9cb7c380af38f00f4df827da8289534fc6c7d7d3d7
-
SHA512
1975512fbaa66f11904252facd3622d2cf053ccd18efc51ecd2e319469605c88d64bd8a6264f61f668c304f99cd7c4d6d302f72b57e61ab4d39c14b3775220ad
-
SSDEEP
1536:+uCVt72eqTkn0mCpZnMXSlEGg/kdndKPOLPuzvGE6QkzmQiFbKaH:NCVgICPMXSlEGgEcPO9E6sQiF1H
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rundll32.exedescription pid process Token: SeImpersonatePrivilege 2472 rundll32.exe Token: SeTcbPrivilege 2472 rundll32.exe Token: SeChangeNotifyPrivilege 2472 rundll32.exe Token: SeCreateTokenPrivilege 2472 rundll32.exe Token: SeBackupPrivilege 2472 rundll32.exe Token: SeRestorePrivilege 2472 rundll32.exe Token: SeIncreaseQuotaPrivilege 2472 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 2472 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2444 wrote to memory of 2472 2444 rundll32.exe rundll32.exe PID 2444 wrote to memory of 2472 2444 rundll32.exe rundll32.exe PID 2444 wrote to memory of 2472 2444 rundll32.exe rundll32.exe PID 2444 wrote to memory of 2472 2444 rundll32.exe rundll32.exe PID 2444 wrote to memory of 2472 2444 rundll32.exe rundll32.exe PID 2444 wrote to memory of 2472 2444 rundll32.exe rundll32.exe PID 2444 wrote to memory of 2472 2444 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46e6c3cbf8a7090d1639da8a01c510c0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46e6c3cbf8a7090d1639da8a01c510c0_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2472