Analysis
-
max time kernel
141s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 01:14
Behavioral task
behavioral1
Sample
0834adc6a1871a4fef9b102cb0d1d9a7_JaffaCakes118.dll
Resource
win7-20240708-en
General
-
Target
0834adc6a1871a4fef9b102cb0d1d9a7_JaffaCakes118.dll
-
Size
31KB
-
MD5
0834adc6a1871a4fef9b102cb0d1d9a7
-
SHA1
29b6e9c1b12b325e7bc26abc6eabbcbd5734ff6f
-
SHA256
e252e8b0fb89379bc3c7c91c48a59edcda62af862d9b402bf392b868015722c5
-
SHA512
b1afeda282ac5862fe0df1ca153e24e49316aefe7c998286b42e3af61752d186a53155ac32153a9931ee640150fc4c69cc93a83675eaac23ec4c9d4ea718aeb1
-
SSDEEP
768:YHQ3s12Ihm/u9ebPARSVrrja25BNIffCI3xWulk:Ywc1EJbIA2xBlk
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1592-0-0x0000000010000000-0x0000000010016000-memory.dmp upx behavioral1/memory/1592-11-0x0000000010000000-0x0000000010016000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Help\starter\help.htm rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 808 wrote to memory of 1592 808 rundll32.exe 30 PID 808 wrote to memory of 1592 808 rundll32.exe 30 PID 808 wrote to memory of 1592 808 rundll32.exe 30 PID 808 wrote to memory of 1592 808 rundll32.exe 30 PID 808 wrote to memory of 1592 808 rundll32.exe 30 PID 808 wrote to memory of 1592 808 rundll32.exe 30 PID 808 wrote to memory of 1592 808 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0834adc6a1871a4fef9b102cb0d1d9a7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0834adc6a1871a4fef9b102cb0d1d9a7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD5b8c1954031a1e6d2ca6119c904950402
SHA12e62e61b71bd0b4a4e70e9cae8ac06926044304c
SHA2566aee7932bdf82d9c28a2c2a2896a48fcf0d57e1d797f89324c4826949a4828eb
SHA512b9d1fe082e3aaa8aa92d4b1366f3b2712167bfa81e772f370ae6d58d19ceac180b6e9be640bf68f96631ea6cd3fc63413ce8383eb849ce6dae6e6015558e15d5