Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
10/08/2024, 03:08
General
-
Target
8495f179b7ef1be19104f81ecbcec94d_JaffaCakes118.dll
-
Size
133KB
-
MD5
8495f179b7ef1be19104f81ecbcec94d
-
SHA1
7459fe5875a169e19b7d4d2fd3a17e3cfbcf8d5f
-
SHA256
b50f48dae2d38e8ebceaf67193264677e37263734a03632ac51c8e50f4bc06e3
-
SHA512
b5db7365e92c92d7cf314d260950b288aad6faa30576c9369d654059ed7b81e8a01d699a2c2560f2ffd6542b2c5fde45228502781991b2218685bb70cd57bbad
-
SSDEEP
3072:I0wpqFegLt9a46GT40hAzJLv2jW//0Myx9yFr:I0RFegLtjMA2FvCW//0Dxo
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8495f179b7ef1be19104f81ecbcec94d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8495f179b7ef1be19104f81ecbcec94d_JaffaCakes118.dll,#12⤵
- Server Software Component: Terminal Services DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\\259460207.BaT3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k NSTOP1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278B
MD5d48fe6ded7e895559b191b6063a8ad27
SHA1f734b85aadfc646b9f60709d5c496e5ef91423e4
SHA2565022f7900c14fbc37332427726850ff9464522e964a797be1bc0068dd1f9717b
SHA5128d9aa3daa297161b8d231eea5f68f9b413070aa285b72cd44a9c787da05ada9b2a255ea3e8ed7a4c9492ee0385de60ac4ba9da7972e08d8f2d1359ac0d7bf6fa
-
Filesize
133KB
MD58495f179b7ef1be19104f81ecbcec94d
SHA17459fe5875a169e19b7d4d2fd3a17e3cfbcf8d5f
SHA256b50f48dae2d38e8ebceaf67193264677e37263734a03632ac51c8e50f4bc06e3
SHA512b5db7365e92c92d7cf314d260950b288aad6faa30576c9369d654059ed7b81e8a01d699a2c2560f2ffd6542b2c5fde45228502781991b2218685bb70cd57bbad
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB