Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 05:24
Static task
static1
Behavioral task
behavioral1
Sample
0e1f4a136d096fb3ec7f09a73944d360_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0e1f4a136d096fb3ec7f09a73944d360_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
0e1f4a136d096fb3ec7f09a73944d360_JaffaCakes118.dll
-
Size
156KB
-
MD5
0e1f4a136d096fb3ec7f09a73944d360
-
SHA1
7b589dc9ee56231e4a34aa3926260704c07ce753
-
SHA256
1c35430db0926e2176e8e884293d786d232d562e0611899f6ec70e54936cfd16
-
SHA512
0a3fd7a84dafe913613b006f88e5e1a282aaaca3d2f6f60909f205e3563a9a196d15f6a9d6c7f4c08d87e30d59d0274872b48a1183eb9f53ac7a1e4f355499c6
-
SSDEEP
3072:CWrQ+rL8+jnTF8dnPSyZHoOWUOLNAD7v3G8h/CqIRqi:JBrL82udnBH1WU447fHhjc
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 3 4000 rundll32.exe 20 4000 rundll32.exe 44 4000 rundll32.exe 49 4000 rundll32.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "C:\\PROGRA~3\\j60r9wla.pzz" regedit.exe -
Loads dropped DLL 1 IoCs
pid Process 4000 rundll32.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\PROGRA~3\j60r9wla.pff rundll32.exe File opened for modification C:\PROGRA~3\j60r9wla.pff rundll32.exe File created C:\PROGRA~3\j60r9wla.ctrl rundll32.exe File created C:\PROGRA~3\j60r9wla.reg rundll32.exe File created C:\PROGRA~3\alw9r06j.plz rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 4508 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe 4000 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4396 wrote to memory of 4100 4396 rundll32.exe 83 PID 4396 wrote to memory of 4100 4396 rundll32.exe 83 PID 4396 wrote to memory of 4100 4396 rundll32.exe 83 PID 4100 wrote to memory of 4000 4100 rundll32.exe 84 PID 4100 wrote to memory of 4000 4100 rundll32.exe 84 PID 4100 wrote to memory of 4000 4100 rundll32.exe 84 PID 4000 wrote to memory of 4508 4000 rundll32.exe 94 PID 4000 wrote to memory of 4508 4000 rundll32.exe 94 PID 4000 wrote to memory of 4508 4000 rundll32.exe 94
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e1f4a136d096fb3ec7f09a73944d360_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e1f4a136d096fb3ec7f09a73944d360_JaffaCakes118.dll,#12⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\PROGRA~3\alw9r06j.plz,GL3003⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\regedit.exeC:\Windows\regedit.exe -s C:\PROGRA~3\j60r9wla.reg4⤵
- Server Software Component: Terminal Services DLL
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4508
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD50e1f4a136d096fb3ec7f09a73944d360
SHA17b589dc9ee56231e4a34aa3926260704c07ce753
SHA2561c35430db0926e2176e8e884293d786d232d562e0611899f6ec70e54936cfd16
SHA5120a3fd7a84dafe913613b006f88e5e1a282aaaca3d2f6f60909f205e3563a9a196d15f6a9d6c7f4c08d87e30d59d0274872b48a1183eb9f53ac7a1e4f355499c6
-
Filesize
285B
MD50bc7599dd41f6e2c71d50b7dc4b910b3
SHA1c07878433725c57d7d6198f552d39aa4e51a7ec1
SHA2567fd977382133f1c9ee1735c773686b4a9c0def7012f616a08587011b259b883d
SHA51232d6fa43d19885ef0fd20868036b34f1e0e6c3ea4026caa53f8e5c6ae26081a5ac172b07ca018e7182ff00808fd8f43d7b7120b58dca9d231128b6f4b824a4c6