Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/09/2024, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
e9c5d42c51c76f1509a8b4974f08c1d3_JaffaCakes118.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
e9c5d42c51c76f1509a8b4974f08c1d3_JaffaCakes118.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
General
-
Target
e9c5d42c51c76f1509a8b4974f08c1d3_JaffaCakes118.dll
-
Size
28KB
-
MD5
e9c5d42c51c76f1509a8b4974f08c1d3
-
SHA1
7a0626a09fb864c2a190678b74383585462c7078
-
SHA256
ab3765718711ee51410d351814035345cab48c597a621e8fe79e765c94c7e3f4
-
SHA512
2a3cc1d6f60d25fe36cd6dfcb8cf15b631026ba3e1d971ea916819213fa04b653c428c50e1670f16dabc0cc0d19c2b357aec88e7646d4ee8b0e30d1abf16c92a
-
SSDEEP
384:N1kyfNlRclKiHD7LFByFAkgedP+N2GLOYmoD5p1usQTq:NVRcMiHDGFAk9hA09w1G
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2576 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2576 2380 rundll32.exe 29 PID 2380 wrote to memory of 2576 2380 rundll32.exe 29 PID 2380 wrote to memory of 2576 2380 rundll32.exe 29 PID 2380 wrote to memory of 2576 2380 rundll32.exe 29 PID 2380 wrote to memory of 2576 2380 rundll32.exe 29 PID 2380 wrote to memory of 2576 2380 rundll32.exe 29 PID 2380 wrote to memory of 2576 2380 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9c5d42c51c76f1509a8b4974f08c1d3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9c5d42c51c76f1509a8b4974f08c1d3_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2576
-