Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 21:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d0803bfb0ed2814a56f803c33b9f1a5e_JaffaCakes118.dll
Resource
win7-20240903-en
3 signatures
150 seconds
General
-
Target
d0803bfb0ed2814a56f803c33b9f1a5e_JaffaCakes118.dll
-
Size
62KB
-
MD5
d0803bfb0ed2814a56f803c33b9f1a5e
-
SHA1
2f114b1261fafb0569dc6def7ccd1012f1cce1b0
-
SHA256
c82740891ea50fae8a7ce72fcac079c722eedb9bdcdb65549fc19a19ddc94cd5
-
SHA512
1a1dbc59724e77d442f36a44ce6326aee48dc87415f5a3cc1627a4dd8730d1bd45283b69c232bcccda55d1e2dade4c8586e9f330867b97ca01eac4cf30e5e709
-
SSDEEP
1536:clXMx/YikoLhRYLj3NrFHWIbTtdGfDUy:cSYibsXdrgkTXGfDU
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3672-3-0x0000000002010000-0x000000000201D000-memory.dmp upx behavioral2/memory/3672-7-0x0000000002010000-0x000000000201D000-memory.dmp upx behavioral2/memory/3672-8-0x0000000002010000-0x000000000201D000-memory.dmp upx behavioral2/memory/3672-6-0x0000000002010000-0x000000000201D000-memory.dmp upx behavioral2/memory/3672-4-0x0000000002010000-0x000000000201D000-memory.dmp upx behavioral2/memory/3672-0-0x0000000002010000-0x000000000201D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3124 wrote to memory of 3672 3124 rundll32.exe 83 PID 3124 wrote to memory of 3672 3124 rundll32.exe 83 PID 3124 wrote to memory of 3672 3124 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d0803bfb0ed2814a56f803c33b9f1a5e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d0803bfb0ed2814a56f803c33b9f1a5e_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:3672
-