fcd1a0767a96fafb5d2bb4f57df1f4c39d5e5050f739a631ddf4f5d7d470f5e2

General

Target

827386d4ee7d27217c2a77c58c44fb50_JaffaCakes118.dll
Size

216KB
MD5

827386d4ee7d27217c2a77c58c44fb50
SHA1

4dbc46b603b60b2e9e8ebc14a071abbd5edd7322
SHA256

fcd1a0767a96fafb5d2bb4f57df1f4c39d5e5050f739a631ddf4f5d7d470f5e2
SHA512

2d305f03b56bcbbd72b9979c27fdb1b133e8bb0833945194a4a562c413a108b7692f5e00f4184cd197cdb0ca5e924aa4d2e7acb41519d579fa844d684dce3b68
SSDEEP

3072:OFJUDVDJoTe2b9hfNy1ItjsCzdXPM/2AunR5Gwyhel:lxDJoTesXY1CsCx/rLGw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
21	3412	rundll32.exe
29	3412	rundll32.exe
53	3412	rundll32.exe
65	3412	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
3412	rundll32.exe
4768	rundll32.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4632-4-0x0000000074BC0000-0x0000000074BF7000-memory.dmp	upx
behavioral2/memory/3412-13-0x0000000074720000-0x0000000074757000-memory.dmp	upx
behavioral2/memory/3412-9-0x0000000074720000-0x0000000074757000-memory.dmp	upx
behavioral2/memory/4632-1-0x0000000074BC0000-0x0000000074BF7000-memory.dmp	upx
behavioral2/memory/4768-25-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/4768-22-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/4632-29-0x0000000074BC0000-0x0000000074BF7000-memory.dmp	upx
behavioral2/memory/3412-31-0x0000000074720000-0x0000000074757000-memory.dmp	upx
behavioral2/memory/4768-35-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/4768-36-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/4768-39-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/3412-41-0x0000000074720000-0x0000000074757000-memory.dmp	upx
behavioral2/memory/4768-42-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/4768-45-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/3412-47-0x0000000074720000-0x0000000074757000-memory.dmp	upx
behavioral2/memory/4768-48-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/3412-53-0x0000000074720000-0x0000000074757000-memory.dmp	upx
behavioral2/memory/4768-56-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/3412-64-0x0000000074720000-0x0000000074757000-memory.dmp	upx
behavioral2/memory/4768-66-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/4768-85-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/3412-92-0x0000000074720000-0x0000000074757000-memory.dmp	upx
behavioral2/memory/4768-93-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/4768-96-0x0000000074600000-0x0000000074637000-memory.dmp	upx
behavioral2/memory/3412-98-0x0000000074720000-0x0000000074757000-memory.dmp	upx
behavioral2/memory/3412-105-0x0000000074720000-0x0000000074757000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~3\6j4bjr4e.dss	rundll32.exe
File created	C:\PROGRA~3\e4rjb4j6.bxx	rundll32.exe
File opened for modification	C:\PROGRA~3\e4rjb4j6.bxx	rundll32.exe
File created	C:\PROGRA~3\e4rjb4j6.fvv	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4632	4280	rundll32.exe	84
PID 4280 wrote to memory of 4632	4280	rundll32.exe	84
PID 4280 wrote to memory of 4632	4280	rundll32.exe	84
PID 4632 wrote to memory of 3412	4632	rundll32.exe	88
PID 4632 wrote to memory of 3412	4632	rundll32.exe	88
PID 4632 wrote to memory of 3412	4632	rundll32.exe	88
PID 3412 wrote to memory of 4768	3412	rundll32.exe	89
PID 3412 wrote to memory of 4768	3412	rundll32.exe	89
PID 3412 wrote to memory of 4768	3412	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\827386d4ee7d27217c2a77c58c44fb50_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\827386d4ee7d27217c2a77c58c44fb50_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\PROGRA~3\6j4bjr4e.dss,FFZ0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6j4bjr4e.dss,FFZ4
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\6j4bjr4e.dss

Filesize
216KB

MD5
827386d4ee7d27217c2a77c58c44fb50

SHA1
4dbc46b603b60b2e9e8ebc14a071abbd5edd7322

SHA256
fcd1a0767a96fafb5d2bb4f57df1f4c39d5e5050f739a631ddf4f5d7d470f5e2

SHA512
2d305f03b56bcbbd72b9979c27fdb1b133e8bb0833945194a4a562c413a108b7692f5e00f4184cd197cdb0ca5e924aa4d2e7acb41519d579fa844d684dce3b68

Download Submit
memory/3412-98-0x0000000074720000-0x0000000074757000-memory.dmp

Filesize
220KB

Download
memory/3412-47-0x0000000074720000-0x0000000074757000-memory.dmp

Filesize
220KB

Download
memory/3412-105-0x0000000074720000-0x0000000074757000-memory.dmp

Filesize
220KB

Download
memory/3412-12-0x0000000074743000-0x0000000074756000-memory.dmp

Filesize
76KB

Download
memory/3412-9-0x0000000074720000-0x0000000074757000-memory.dmp

Filesize
220KB

Download
memory/3412-8-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3412-41-0x0000000074720000-0x0000000074757000-memory.dmp

Filesize
220KB

Download
memory/3412-53-0x0000000074720000-0x0000000074757000-memory.dmp

Filesize
220KB

Download
memory/3412-13-0x0000000074720000-0x0000000074757000-memory.dmp

Filesize
220KB

Download
memory/3412-30-0x0000000074743000-0x0000000074756000-memory.dmp

Filesize
76KB

Download
memory/3412-64-0x0000000074720000-0x0000000074757000-memory.dmp

Filesize
220KB

Download
memory/3412-92-0x0000000074720000-0x0000000074757000-memory.dmp

Filesize
220KB

Download
memory/3412-31-0x0000000074720000-0x0000000074757000-memory.dmp

Filesize
220KB

Download
memory/4632-28-0x0000000074BE3000-0x0000000074BF6000-memory.dmp

Filesize
76KB

Download
memory/4632-29-0x0000000074BC0000-0x0000000074BF7000-memory.dmp

Filesize
220KB

Download
memory/4632-3-0x0000000074BE3000-0x0000000074BF6000-memory.dmp

Filesize
76KB

Download
memory/4632-0-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/4632-4-0x0000000074BC0000-0x0000000074BF7000-memory.dmp

Filesize
220KB

Download
memory/4632-1-0x0000000074BC0000-0x0000000074BF7000-memory.dmp

Filesize
220KB

Download
memory/4768-34-0x0000000074623000-0x0000000074636000-memory.dmp

Filesize
76KB

Download
memory/4768-39-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-42-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-45-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-36-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-48-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-35-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-56-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-21-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/4768-66-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-85-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-22-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-93-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-96-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download
memory/4768-24-0x0000000074623000-0x0000000074636000-memory.dmp

Filesize
76KB

Download
memory/4768-25-0x0000000074600000-0x0000000074637000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing