Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 01:34
Behavioral task
behavioral1
Sample
d33eb9609eed42f3f4326f3c17784d49_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
d33eb9609eed42f3f4326f3c17784d49_JaffaCakes118.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
d33eb9609eed42f3f4326f3c17784d49_JaffaCakes118.dll
-
Size
37KB
-
MD5
d33eb9609eed42f3f4326f3c17784d49
-
SHA1
bc5228bed81e44dcb2cf0e88f8fe041249ee12bd
-
SHA256
48c419b5e3c86ad324b56d0aafcf9861a309f670667e053b7b33bea206c243d6
-
SHA512
d372cf5212df73322d0e2823d55273ee917835612fb51c1b24170852afba44fcb4ef9a1978bb7ba719fc91d8d53563862d908a0a62aff2e4a94b3628728143ca
-
SSDEEP
768:JgvRYQ6Tu98ZXmVhXqAi/mu3QcHRItXyXnbcuyD7UdR:GvRYQ8W+XmiA8pFxI5yXnouy8dR
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00030000000230ad-4.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 2832 rundll32.exe -
resource yara_rule behavioral2/memory/1444-0-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/files/0x00030000000230ad-4.dat upx behavioral2/memory/1444-6-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/2832-8-0x0000000010000000-0x000000001001F000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\lua.wkl rundll32.exe File created C:\Windows\mspime.dll rundll32.exe File opened for modification C:\Windows\mspime.dll rundll32.exe File opened for modification C:\Windows\lua.wkl rundll32.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 2832 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "d33eb9609eed42f3f4326f3c17784d49_JaffaCakes118.dll,1312254664,1947795251,-352895392" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1444 1708 rundll32.exe 83 PID 1708 wrote to memory of 1444 1708 rundll32.exe 83 PID 1708 wrote to memory of 1444 1708 rundll32.exe 83 PID 1444 wrote to memory of 2832 1444 rundll32.exe 87 PID 1444 wrote to memory of 2832 1444 rundll32.exe 87 PID 1444 wrote to memory of 2832 1444 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d33eb9609eed42f3f4326f3c17784d49_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d33eb9609eed42f3f4326f3c17784d49_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\mspime.dll",_RunAs@163⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2832
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5d33eb9609eed42f3f4326f3c17784d49
SHA1bc5228bed81e44dcb2cf0e88f8fe041249ee12bd
SHA25648c419b5e3c86ad324b56d0aafcf9861a309f670667e053b7b33bea206c243d6
SHA512d372cf5212df73322d0e2823d55273ee917835612fb51c1b24170852afba44fcb4ef9a1978bb7ba719fc91d8d53563862d908a0a62aff2e4a94b3628728143ca