Analysis Overview
SHA256
0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1
Threat Level: Known bad
The file f55920966b4970588ce643af0fcc03a7_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
Blocklisted process makes network request
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-25 06:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-25 06:02
Reported
2024-09-25 06:04
Platform
win7-20240708-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dyac = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Caycu\\ebcofuf.dll,DllRegisterServer" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2156 set thread context of 3052 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f55920966b4970588ce643af0fcc03a7_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f55920966b4970588ce643af0fcc03a7_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | axelerode.club | udp |
| US | 44.221.84.105:443 | axelerode.club | tcp |
| US | 8.8.8.8:53 | axelerode.host | udp |
Files
memory/2156-0-0x0000000002190000-0x0000000002B00000-memory.dmp
memory/2156-2-0x00000000021F4000-0x00000000021F7000-memory.dmp
memory/2156-3-0x0000000002190000-0x0000000002B00000-memory.dmp
memory/2156-5-0x00000000021F4000-0x00000000021F7000-memory.dmp
memory/2156-4-0x0000000002190000-0x0000000002B00000-memory.dmp
memory/2156-6-0x0000000002190000-0x0000000002B00000-memory.dmp
memory/3052-8-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/3052-7-0x0000000000090000-0x00000000000BC000-memory.dmp
memory/3052-9-0x0000000000090000-0x00000000000BC000-memory.dmp
memory/2156-10-0x0000000002190000-0x0000000002B00000-memory.dmp
memory/3052-12-0x0000000000090000-0x00000000000BC000-memory.dmp
memory/3052-13-0x0000000000090000-0x00000000000BC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-25 06:02
Reported
2024-09-25 06:04
Platform
win10v2004-20240802-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Edhuoh = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Fadeu\\ugehocuc.dll,DllRegisterServer" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3740 set thread context of 2216 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4664 wrote to memory of 3740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4664 wrote to memory of 3740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4664 wrote to memory of 3740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3740 wrote to memory of 2216 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 3740 wrote to memory of 2216 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 3740 wrote to memory of 2216 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 3740 wrote to memory of 2216 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 3740 wrote to memory of 2216 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f55920966b4970588ce643af0fcc03a7_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f55920966b4970588ce643af0fcc03a7_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | axelerode.club | udp |
| US | 44.221.84.105:443 | axelerode.club | tcp |
| US | 8.8.8.8:53 | axelerode.host | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | axelerode.host | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | axelerode.host | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3740-1-0x0000000002CE0000-0x0000000003650000-memory.dmp
memory/3740-2-0x0000000002CE0000-0x0000000003650000-memory.dmp
memory/3740-4-0x0000000002CE0000-0x0000000003650000-memory.dmp
memory/3740-3-0x0000000002D44000-0x0000000002D47000-memory.dmp
memory/3740-5-0x0000000002CE0000-0x0000000003650000-memory.dmp
memory/3740-6-0x0000000002CE0000-0x0000000003650000-memory.dmp
memory/3740-7-0x0000000002CE0000-0x0000000003650000-memory.dmp
memory/2216-8-0x0000000000470000-0x000000000049C000-memory.dmp
memory/3740-10-0x0000000002CE0000-0x0000000003650000-memory.dmp
memory/2216-12-0x0000000000470000-0x000000000049C000-memory.dmp
memory/2216-13-0x0000000000470000-0x000000000049C000-memory.dmp