Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 00:09
Behavioral task
behavioral1
Sample
11082034ec09d09405f9a7c7eae47e52_JaffaCakes118.dll
Resource
win7-20240903-en
5 signatures
150 seconds
General
-
Target
11082034ec09d09405f9a7c7eae47e52_JaffaCakes118.dll
-
Size
271KB
-
MD5
11082034ec09d09405f9a7c7eae47e52
-
SHA1
4e653a28f3b5d0b16321c8da6363bbca3bd3816d
-
SHA256
86291874a98c2fb70aaa5bdc7434e8198a5a1fe80aa532f39259ccfc2a7d37d3
-
SHA512
1eedf4c814e4bdb51af5e97965b3c4e436e73578ebf92cee9b8023a4cd886e699cedd014d6c73b18a831c08f596f8e60d25e6447d42e9bf3f8e2d5bf011428e1
-
SSDEEP
6144:vkYEfs5C2+9tylG0SSx1lD5HBOReQ68lXk9Aqstd1Sf39ZzKRcr5wa3I070C:hos5C7Ww8x1loJtlXrds39eY5rI0
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1872-0-0x0000000010000000-0x00000000100D4000-memory.dmp upx behavioral1/memory/1872-3-0x0000000010000000-0x00000000100D4000-memory.dmp upx behavioral1/memory/1872-2-0x0000000010000000-0x00000000100D4000-memory.dmp upx behavioral1/memory/1872-1-0x0000000010000000-0x00000000100D4000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1872 rundll32.exe 1872 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1872 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 820 wrote to memory of 1872 820 rundll32.exe 30 PID 820 wrote to memory of 1872 820 rundll32.exe 30 PID 820 wrote to memory of 1872 820 rundll32.exe 30 PID 820 wrote to memory of 1872 820 rundll32.exe 30 PID 820 wrote to memory of 1872 820 rundll32.exe 30 PID 820 wrote to memory of 1872 820 rundll32.exe 30 PID 820 wrote to memory of 1872 820 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11082034ec09d09405f9a7c7eae47e52_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11082034ec09d09405f9a7c7eae47e52_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1872
-