Analysis
-
max time kernel
138s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 23:59
Static task
static1
Behavioral task
behavioral1
Sample
4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll
Resource
win10v2004-20241007-en
General
-
Target
4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll
-
Size
397KB
-
MD5
4a91e3a23440d16fbcba9b10b54dee53
-
SHA1
d297b74c85b5fb748d8a2807b49558b0a9f3fd3a
-
SHA256
4fb5d550e999dbd751beea4ad677ded8157fca2a5de8c36534954b78d21f4e00
-
SHA512
cd0c7af1d0d54924f5ee28a5ffe6ce15a2d624156cb4f6782edac64f58ed8aeb2211e37d44f0602b9853773a401ad4e3dd0328e2a378ffb1df587b626205063d
-
SSDEEP
6144:ph7AgrNRbjNb0OXUFMoi2combwPYNRRlAssavROgDG0pdq12C:zBXbjNb0OXUFMoi2coOYYnRlYaQgxC
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2920 rundll32.exe 2920 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3088 wrote to memory of 2920 3088 rundll32.exe 84 PID 3088 wrote to memory of 2920 3088 rundll32.exe 84 PID 3088 wrote to memory of 2920 3088 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a91e3a23440d16fbcba9b10b54dee53_JaffaCakes118.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
403B
MD585635cd7bf60dacfe7f04516bd7aedda
SHA1ad8c7aaf4d32f1facbdd8f30652242cb01432f7f
SHA256f0201e7fc0d3c58431afd58174690a6484b53242ed042387dcc72d9541531cfa
SHA512f5b4665ff4fa38a96725e875b73aef4dd29aba3cbf641cf569c3472d171924ff623e5ec7f8f88f5ff89d4962aa077e058256ea0fdc274ed712fecb17ccc835d6