Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 23:59
Static task
static1
Behavioral task
behavioral1
Sample
4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll
Resource
win10v2004-20241007-en
General
-
Target
4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll
-
Size
397KB
-
MD5
4a91e3a23440d16fbcba9b10b54dee53
-
SHA1
d297b74c85b5fb748d8a2807b49558b0a9f3fd3a
-
SHA256
4fb5d550e999dbd751beea4ad677ded8157fca2a5de8c36534954b78d21f4e00
-
SHA512
cd0c7af1d0d54924f5ee28a5ffe6ce15a2d624156cb4f6782edac64f58ed8aeb2211e37d44f0602b9853773a401ad4e3dd0328e2a378ffb1df587b626205063d
-
SSDEEP
6144:ph7AgrNRbjNb0OXUFMoi2combwPYNRRlAssavROgDG0pdq12C:zBXbjNb0OXUFMoi2coOYYnRlYaQgxC
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2868 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2868 2864 rundll32.exe 30 PID 2864 wrote to memory of 2868 2864 rundll32.exe 30 PID 2864 wrote to memory of 2868 2864 rundll32.exe 30 PID 2864 wrote to memory of 2868 2864 rundll32.exe 30 PID 2864 wrote to memory of 2868 2864 rundll32.exe 30 PID 2864 wrote to memory of 2868 2864 rundll32.exe 30 PID 2864 wrote to memory of 2868 2864 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367B
MD5aa2a17254f7a9a728e8463f2f61f3c98
SHA13df559a6187e3ec9f56154f4596fee89f4d874c6
SHA256bd790ad3a226d40fa9e40aab3405f8b08d840e19dd16e12348399ca7d6fbd3a1
SHA5120c3373a235c42dc7826235e820d1ef7e7ff47cefd978a9241046564abcf345b93dfa664b1fd125c2a5e9869a31939817f7d8842b5f54b859991b92d4d1942526