Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 14:42
Static task
static1
Behavioral task
behavioral1
Sample
f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe
-
Size
112KB
-
MD5
f00438c060616c2255f95dcbfd983d0b
-
SHA1
8a8ff162ed055872593fa9ad311e3fde8461374a
-
SHA256
af92923de76a01e2a2c56696bb1462fd4619bca12d8749725f8ae35315e144fd
-
SHA512
a4b2f42beb7bf540a873ef0548d772e5450db06b2ec72330421c12a43b33bd11ed3b47fe868cee7bd07383a78ff01fe72a0806e2e47db39a0c08df696b162ab3
-
SSDEEP
1536:TqRuhXx2plzGRondkyeGpZcUk+BSxLdl4dmikuDVCGYnHInbSTuVappCt:TxXa0kdnRpZcqAtdlqgAYnH22//
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 4824 rundll32.exe 2224 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dlarikumipo = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\detend.dll\",Startup" rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 712 wrote to memory of 4824 712 f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe 82 PID 712 wrote to memory of 4824 712 f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe 82 PID 712 wrote to memory of 4824 712 f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe 82 PID 4824 wrote to memory of 2224 4824 rundll32.exe 85 PID 4824 wrote to memory of 2224 4824 rundll32.exe 85 PID 4824 wrote to memory of 2224 4824 rundll32.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f00438c060616c2255f95dcbfd983d0b_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\detend.dll",Startup2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\detend.dll",iep3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2224
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5c34e65950d1b5900bddf7859940327a9
SHA15165f8391dbbd26226257c67da0536b4ab33f0d9
SHA256b19355a5a942e403a7027543db65731f3dc3b1261a652b47e6314a53a8668340
SHA5123f7d53749fa36be842a391602e4cae766889e8917fa584e0367b7af70423e1b6230240c8e33ca1ed64e761730881d8c492fd20481fb5ea6c2d6a3e9a66940160