Analysis
-
max time kernel
134s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-01-2025 01:46
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6979b722b91b41c241800034d5cca3d0.dll
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_6979b722b91b41c241800034d5cca3d0.dll
-
Size
923KB
-
MD5
6979b722b91b41c241800034d5cca3d0
-
SHA1
1e09000e0ed0c3e7449526193ecc7fed117d3d2f
-
SHA256
cb86243a668e3785a115115d394c55c01a6c9fa967934918b68f1040ecbe66f9
-
SHA512
fc81eca5d2a1d638298e885eae55bbfb4f79537fb153f68fd177cf29e060a3687e302055d29964310a9c9ac6749a5d53d3bc91f9648b66dbe3d91c700f8f6ced
-
SSDEEP
24576:hL5/rmRsmDWDPNuFhPvYrpLYHSfcoopooLY9Nu0FGrSiva:LK5hPILYHSfeY9nIWMa
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2716 rundll32mgr.exe -
Loads dropped DLL 2 IoCs
pid Process 2844 rundll32.exe 2844 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral1/files/0x000b000000012281-10.dat upx behavioral1/memory/2716-12-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral1/memory/2716-17-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral1/memory/2716-16-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral1/memory/2716-13-0x0000000000400000-0x0000000000462000-memory.dmp upx behavioral1/memory/2716-18-0x0000000000400000-0x0000000000462000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442030651" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8A397791-C974-11EF-8E45-E699F793024F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2716 rundll32mgr.exe 2716 rundll32mgr.exe 2716 rundll32mgr.exe 2716 rundll32mgr.exe 2716 rundll32mgr.exe 2716 rundll32mgr.exe 2716 rundll32mgr.exe 2716 rundll32mgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2716 rundll32mgr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3028 iexplore.exe 3028 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3028 iexplore.exe 3028 iexplore.exe 3028 iexplore.exe 3028 iexplore.exe 2624 IEXPLORE.EXE 2624 IEXPLORE.EXE 2624 IEXPLORE.EXE 2624 IEXPLORE.EXE 2624 IEXPLORE.EXE 2624 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2844 2792 rundll32.exe 31 PID 2792 wrote to memory of 2844 2792 rundll32.exe 31 PID 2792 wrote to memory of 2844 2792 rundll32.exe 31 PID 2792 wrote to memory of 2844 2792 rundll32.exe 31 PID 2792 wrote to memory of 2844 2792 rundll32.exe 31 PID 2792 wrote to memory of 2844 2792 rundll32.exe 31 PID 2792 wrote to memory of 2844 2792 rundll32.exe 31 PID 2844 wrote to memory of 2716 2844 rundll32.exe 32 PID 2844 wrote to memory of 2716 2844 rundll32.exe 32 PID 2844 wrote to memory of 2716 2844 rundll32.exe 32 PID 2844 wrote to memory of 2716 2844 rundll32.exe 32 PID 2716 wrote to memory of 3028 2716 rundll32mgr.exe 33 PID 2716 wrote to memory of 3028 2716 rundll32mgr.exe 33 PID 2716 wrote to memory of 3028 2716 rundll32mgr.exe 33 PID 2716 wrote to memory of 3028 2716 rundll32mgr.exe 33 PID 2716 wrote to memory of 2756 2716 rundll32mgr.exe 34 PID 2716 wrote to memory of 2756 2716 rundll32mgr.exe 34 PID 2716 wrote to memory of 2756 2716 rundll32mgr.exe 34 PID 2716 wrote to memory of 2756 2716 rundll32mgr.exe 34 PID 3028 wrote to memory of 2624 3028 iexplore.exe 35 PID 3028 wrote to memory of 2624 3028 iexplore.exe 35 PID 3028 wrote to memory of 2624 3028 iexplore.exe 35 PID 3028 wrote to memory of 2624 3028 iexplore.exe 35
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6979b722b91b41c241800034d5cca3d0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6979b722b91b41c241800034d5cca3d0.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2624
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2756
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f4b8daff041542fcf5741e8e0c001c27
SHA178e095ed664e4903670d801e2baa2b351d9a2ccc
SHA256aff3521bff5b30f4f62b9594838f4ba3bcf828ab0d2ec4543492b7b99b92c468
SHA512445b6d7c6f8520d10d8c43ba2c04168142048d0b69085f72ca2951fd6e97a8140078d022de2d2fa002a612fa856fc78e16e7cf3a84d8f1119be43c34814b7fcd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b0011d29a1ccd773d8dd510a0aa5e183
SHA1985138d5d350b09d62b7079b2e8d1b518589cd73
SHA25618d2019c351bd7a83eadb7aaa68a6ced43cf1678dc6e3e6086bfafd840c32ef4
SHA512bbed3e2fd66199a3a69913c9b91a2abb983c18a84c0e4af8957510db6818f318914d51cc513c1a5c98b7d2d7b744ab6b5c194809560f83f1d463b3249964da0b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53bd74c445f4f7248b029fc2a2fac376c
SHA161c3a4c61c849919d29bfd2d709fb8850c376d61
SHA256782f6aa4a1e45cd35922408e817952b23f08f1d20660486242170165af6ab94a
SHA512d49fa26697e196f09303416abe3b12aa122f3b407ffeca63f49de637d305cea4f01a3b81947c500d37f556e2f982c9c96040f1f19b0f34c0e7af73a5599739ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c5c546ba25b086ee0d984784d8bb95e6
SHA18ad2fca64c1e52f87254af4c6b81ac0cd1b70905
SHA2561a389145c15c6d9fe03fdcc6bf1b174af0aef5a22b4e59c2dc8941842879d001
SHA5122ebf1e0e199ec7c9dea5f7ad1ebd8c0bd5009d8ecdf98c8b07d8ef1beeb03ee1b060676d588626e8c56c9fc45abc55b3cf4dbe56824191d955b6640380e4fa71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508d61951eb9f33387f36515207310487
SHA1d85686eab4f4cf61e5429693e0f4f991e57c9bcd
SHA25671e8edc81cb0bbe409d843998770b0445276bf8defe4afbc2942b8b4071e58a8
SHA5124a15594c54d57f34146f8268c1e58d83505a4270e3510cc1a5c671f48e3c55c3194e233f2b18ff963e60c8838babcb7583b5a0204acd4f6f6cbd953646402b95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d4b05a8c948fca2913ca26d95f17100
SHA1be609294f54bd2ae2b06afb1bde7b8d510dfffa1
SHA256310192453293d4d94f6f1d56d8c99bea0d6fdb800b06f34857fd34c5cb207e04
SHA5122c0b30d552a9c6fe2a008820eb1cdc4a50ff38c17ace5d972b6e17a252338975b1886e45f836ac18421aad9d0a286ecfa12a1660a36d1cd2885965cd5f855d92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5138504887018021814f71d32f6733b54
SHA154815bb34b4334cca3292ab599f23cfc0f85fc31
SHA256b62409f1aaf0edd1cbad142ba101642dc2b4c23026344bb326fe9f97274456b7
SHA512d7e1e91f1dd9ed1553e46200535c666a18fd3696567164482261db88db547f92298f2e5d4ddac21f78ec95ab7514c459a1f0ed92db39555545cd581e1b97a4c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5947f08ff1610f034b271fdb5e71d6e7e
SHA16c5eefbcc2b8d9193f81c07beb0318fff0ad0daf
SHA2565a46f675a284998d134ef735c81598671cc0b357e700b1ac3a1f2d9aa828be20
SHA512f907cf75cac8a3e0ce69190d9e5cada79071f5fb37a1afba934f016109f458b307dd4ccc5ecafc5a43a86e160662497c78147270b2fbeef647f7cb978999982f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58c16aabb51f9968de30896b5b718eb24
SHA1981397652ccb2b39a14ed3e76c0c16c9e23dade1
SHA256e445ad7c56e1a83462d7764ba2cdb5d81ba11a2dcf0460c6de138cef34c22808
SHA5124b0b4ceb1a2bf7838a422c37368f193d5f9d668aaad7d76b5f332e21140fab8a770f3d8a0704d7d054cec3b3391dd1a4b399e3562d3ab2766aca6b56f5307dc2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
153KB
MD514da13653e9f71c2f4d77da520e56cb6
SHA1d8059894212c64c935420b44a212aee5ab015ff8
SHA256105a86dfaa98cbd6ab08dca219e04805b594dbbce2b8872bcaf4dad6f5e2b25d
SHA512879de7e67c7c575c399072538028e60272c82e629469ededc0db7869e4b6070d70c69d31ca06c69a8465b348334505ca20b3af5b8fe48c7d4b51bb9270db143d