Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 20:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
41faa40906c4c7b189dfcf861594cd53_JaffaCakes118.dll
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
41faa40906c4c7b189dfcf861594cd53_JaffaCakes118.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
41faa40906c4c7b189dfcf861594cd53_JaffaCakes118.dll
-
Size
47KB
-
MD5
41faa40906c4c7b189dfcf861594cd53
-
SHA1
0916a8e3db9dc55bef9d247540f18a65200905c5
-
SHA256
d2b27bd1408962e29c302e3e7c9b8dc7244fff0bde875cd770950de2a8cc611a
-
SHA512
cadf9b3ab87aa89cce48a6e16adbd227bb6b10b4a9629568e025d76ff910ab1b41fbe0ad8a74b314aa18ee2ea6327eea186a070e573f072dc54d7d361953d038
-
SSDEEP
768:GHOlwYkeyrZrpYiwh5WzPECOPxuFWxuAHOlwYnCMIILQbCgFA:GuC7Zrfw+TE6su1C8wCa
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2956 hrl9E52.tmp 2968 huzbeq.exe -
Loads dropped DLL 3 IoCs
pid Process 2576 rundll32.exe 2576 rundll32.exe 2968 huzbeq.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\K: huzbeq.exe File opened (read-only) \??\O: huzbeq.exe File opened (read-only) \??\R: huzbeq.exe File opened (read-only) \??\W: huzbeq.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\I: huzbeq.exe File opened (read-only) \??\M: huzbeq.exe File opened (read-only) \??\N: huzbeq.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\U: huzbeq.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Q: huzbeq.exe File opened (read-only) \??\S: huzbeq.exe File opened (read-only) \??\T: huzbeq.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\J: huzbeq.exe File opened (read-only) \??\L: huzbeq.exe File opened (read-only) \??\P: huzbeq.exe File opened (read-only) \??\Z: huzbeq.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\G: huzbeq.exe File opened (read-only) \??\V: huzbeq.exe File opened (read-only) \??\X: huzbeq.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\E: huzbeq.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\H: huzbeq.exe File opened (read-only) \??\Y: huzbeq.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\huzbeq.exe hrl9E52.tmp File opened for modification C:\Windows\SysWOW64\huzbeq.exe hrl9E52.tmp File created C:\Windows\SysWOW64\gei33.dll huzbeq.exe -
Drops file in Program Files directory 60 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\Solitaire\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\lpk.dll huzbeq.exe File created C:\Program Files\Mozilla Firefox\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\Mahjong\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\lpk.dll huzbeq.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\Hearts\lpk.dll huzbeq.exe File opened for modification C:\Program Files\7-Zip\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\Chess\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Office\Office14\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Mozilla Firefox\lpk.dll huzbeq.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll huzbeq.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lpk.dll huzbeq.exe File created C:\Program Files\Internet Explorer\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\Solitaire\lpk.dll huzbeq.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll huzbeq.exe File created C:\Program Files\DVD Maker\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Internet Explorer\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Office\Office14\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Google\Chrome\Application\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Java\jre7\bin\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lpk.dll huzbeq.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\lpk.dll huzbeq.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Games\Chess\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\Minesweeper\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\lpk.dll huzbeq.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\lpk.dll huzbeq.exe File opened for modification C:\Program Files\DVD Maker\lpk.dll huzbeq.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\lpk.dll huzbeq.exe File created C:\Program Files\Mozilla Firefox\uninstall\lpk.dll huzbeq.exe File created C:\Program Files\7-Zip\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\lpk.dll huzbeq.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\lpk.dll huzbeq.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\Purble Place\lpk.dll huzbeq.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\lpk.dll huzbeq.exe File created C:\Program Files\Google\Chrome\Application\lpk.dll huzbeq.exe File created C:\Program Files\Java\jre7\bin\lpk.dll huzbeq.exe File created C:\Program Files\Microsoft Games\FreeCell\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\lpk.dll huzbeq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\lpk.dll huzbeq.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrl9E52.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huzbeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2576 2528 rundll32.exe 30 PID 2528 wrote to memory of 2576 2528 rundll32.exe 30 PID 2528 wrote to memory of 2576 2528 rundll32.exe 30 PID 2528 wrote to memory of 2576 2528 rundll32.exe 30 PID 2528 wrote to memory of 2576 2528 rundll32.exe 30 PID 2528 wrote to memory of 2576 2528 rundll32.exe 30 PID 2528 wrote to memory of 2576 2528 rundll32.exe 30 PID 2576 wrote to memory of 2956 2576 rundll32.exe 31 PID 2576 wrote to memory of 2956 2576 rundll32.exe 31 PID 2576 wrote to memory of 2956 2576 rundll32.exe 31 PID 2576 wrote to memory of 2956 2576 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41faa40906c4c7b189dfcf861594cd53_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41faa40906c4c7b189dfcf861594cd53_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\hrl9E52.tmpC:\Users\Admin\AppData\Local\Temp\hrl9E52.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2956
-
-
-
C:\Windows\SysWOW64\huzbeq.exeC:\Windows\SysWOW64\huzbeq.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5fa83218ca7e58eadde29e52cce1981a8
SHA118f611023882b03f045f22f598b3b49d55bd83db
SHA2562dd3e624cb2465f04397041ace613792a3a731533fac86a84b136270b78bf4c4
SHA5129726e7f3a0ce093866b0f9b150e1f22e3413d98cfa54aa31a5fbf73a23c7b78e21a124e9668bc320125b104c7c4631409e4f7516a9b1cb4027811d5fae8cae3b
-
Filesize
47KB
MD541faa40906c4c7b189dfcf861594cd53
SHA10916a8e3db9dc55bef9d247540f18a65200905c5
SHA256d2b27bd1408962e29c302e3e7c9b8dc7244fff0bde875cd770950de2a8cc611a
SHA512cadf9b3ab87aa89cce48a6e16adbd227bb6b10b4a9629568e025d76ff910ab1b41fbe0ad8a74b314aa18ee2ea6327eea186a070e573f072dc54d7d361953d038