Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 07:10
Static task
static1
Behavioral task
behavioral1
Sample
ead2a824ede16a732987d46b8a535601_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ead2a824ede16a732987d46b8a535601_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
ead2a824ede16a732987d46b8a535601_JaffaCakes118.dll
-
Size
141KB
-
MD5
ead2a824ede16a732987d46b8a535601
-
SHA1
a5fa91cf1b6050e08739489a53dfc69d70e3ec8d
-
SHA256
e298f02fb04c12eb9d38db70d7bbf879b15a829d801a713e430cfe05a3211300
-
SHA512
88b28c1cb4af46564e29e28e1cc45609b273153076ba64a109263f18df21ab9edb9447980a921fd6d50c9193c16fb5c8b6a18e18d8cb17f6fbd0a2a37c4f410d
-
SSDEEP
3072:pECAJhkdOP17s/qaOi08OwyHxcnZGCCXl11PllV1V:pEvgOP17s/F08OaoCC1vl1V
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4932 wrote to memory of 4496 4932 rundll32.exe 82 PID 4932 wrote to memory of 4496 4932 rundll32.exe 82 PID 4932 wrote to memory of 4496 4932 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ead2a824ede16a732987d46b8a535601_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ead2a824ede16a732987d46b8a535601_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:4496
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request68.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
68.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa