Analysis
-
max time kernel
150s -
max time network
87s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 21:04
Static task
static1
Behavioral task
behavioral1
Sample
81c41b32dc40d11c75fa9f98ce3b6ec2_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
81c41b32dc40d11c75fa9f98ce3b6ec2_JaffaCakes118.dll
Resource
win10v2004-20240730-en
General
-
Target
81c41b32dc40d11c75fa9f98ce3b6ec2_JaffaCakes118.dll
-
Size
32KB
-
MD5
81c41b32dc40d11c75fa9f98ce3b6ec2
-
SHA1
1849f8615d3c76cc7ea2b201b80cd66b55cf78f5
-
SHA256
83e30f6099aa9c733577c7b01ab1e4e722010a6aae35bf5852958c6a0200a307
-
SHA512
f60fd84b033c057040bd30b74e4784a9f0fe003a7f20dddc3044794404a58bc4d2e56f086db16121f7e914936bc46eec5874481a3c87ffce9aaf49cfa7e275f6
-
SSDEEP
384:ZbCrSXpOgj8RYn6B4gmoi6222+01JzRRUvwkUbGSMR9CHomS9M8ZCHomL:JCrSN6SgpUvHovWG5CHy5CHr
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 924 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\F: rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 924 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2960 wrote to memory of 924 2960 rundll32.exe rundll32.exe PID 2960 wrote to memory of 924 2960 rundll32.exe rundll32.exe PID 2960 wrote to memory of 924 2960 rundll32.exe rundll32.exe PID 2960 wrote to memory of 924 2960 rundll32.exe rundll32.exe PID 2960 wrote to memory of 924 2960 rundll32.exe rundll32.exe PID 2960 wrote to memory of 924 2960 rundll32.exe rundll32.exe PID 2960 wrote to memory of 924 2960 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81c41b32dc40d11c75fa9f98ce3b6ec2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81c41b32dc40d11c75fa9f98ce3b6ec2_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5b5eb5bd3066959611e1f7a80fd6cc172
SHA16fb1532059212c840737b3f923a9c0b152c0887a
SHA2561ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc
SHA5126c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6