Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 00:40
Static task
static1
Behavioral task
behavioral1
Sample
6aee58b63843a0d73a98a2922092de8a_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6aee58b63843a0d73a98a2922092de8a_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
6aee58b63843a0d73a98a2922092de8a_JaffaCakes118.dll
-
Size
839KB
-
MD5
6aee58b63843a0d73a98a2922092de8a
-
SHA1
abc6ac9a98360aa065f32e15d0a9293f8aa26e32
-
SHA256
fff929c4f44411e0f8da272f8d1db4593b23acd3c52cf8958792aef9548b4623
-
SHA512
ab93f97b94953edc7d051ffa48cf444d4f09af479746ad88b86907e50d8984919fa1fdef473b2cb73adcb23378c03a81a06eece1cf7b1d12a469c0eec943d20c
-
SSDEEP
6144:XkX7Ahus9knpaHe51x/ZD6KJ02lclcB6BQVnhLbm6BN6BILsWwrdsWhc:0Ehus+5rZDjJ025oQVhX3UjdrdsWy
Malware Config
Extracted
zloader
xls_spam_2809
divader
https://fqnesas.ru/gate.php
https://fqnvsdaas.su/gate.php
https://fqnvtmqass.ru/gate.php
https://fqnvtcpheas.su/gate.php
https://fqnvtmophfeas.ru/gate.php
https://fqnceas.su/gate.php
https://fqlocpeas.ru/gate.php
https://dksaiijn.ru/gate.php
https://dksafjasnf.su/gate.php
https://fjsafasfsa.ru/gate.php
-
build_id
80
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ylev = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Iwiso\\mewyl.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2088 set thread context of 2980 2088 rundll32.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2980 msiexec.exe Token: SeSecurityPrivilege 2980 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2088 2632 rundll32.exe 31 PID 2632 wrote to memory of 2088 2632 rundll32.exe 31 PID 2632 wrote to memory of 2088 2632 rundll32.exe 31 PID 2632 wrote to memory of 2088 2632 rundll32.exe 31 PID 2632 wrote to memory of 2088 2632 rundll32.exe 31 PID 2632 wrote to memory of 2088 2632 rundll32.exe 31 PID 2632 wrote to memory of 2088 2632 rundll32.exe 31 PID 2088 wrote to memory of 2980 2088 rundll32.exe 32 PID 2088 wrote to memory of 2980 2088 rundll32.exe 32 PID 2088 wrote to memory of 2980 2088 rundll32.exe 32 PID 2088 wrote to memory of 2980 2088 rundll32.exe 32 PID 2088 wrote to memory of 2980 2088 rundll32.exe 32 PID 2088 wrote to memory of 2980 2088 rundll32.exe 32 PID 2088 wrote to memory of 2980 2088 rundll32.exe 32 PID 2088 wrote to memory of 2980 2088 rundll32.exe 32 PID 2088 wrote to memory of 2980 2088 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6aee58b63843a0d73a98a2922092de8a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6aee58b63843a0d73a98a2922092de8a_JaffaCakes118.dll,#12⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-