Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_43729648b032f8b8bf315299d8894237.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_43729648b032f8b8bf315299d8894237.dll
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_43729648b032f8b8bf315299d8894237.dll
-
Size
88KB
-
MD5
43729648b032f8b8bf315299d8894237
-
SHA1
c6f8261b0e6a0542eff89daf8fa04d51d6e5cddb
-
SHA256
b9fd0c7b637f61a56c22c9a60fcbbae33c41558b45e0b44e6d0dd21bd194fab3
-
SHA512
5f8ae8006393bcceef28deb670d3df7734572af65a92e6a2f300ba51b3d6b59f981f7bf47eef7420675c89f845745db13598d090e5b443ebb8e6b799c763fc49
-
SSDEEP
1536:C1hQQOyDyIw8xY0hzyZ6QdIg6Wncl6yno8PcX0BryNZHOVS+vDDDZP04L8:2AXSzvQdIghnCAX/O0+7ps4
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2876 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2876 2256 rundll32.exe 29 PID 2256 wrote to memory of 2876 2256 rundll32.exe 29 PID 2256 wrote to memory of 2876 2256 rundll32.exe 29 PID 2256 wrote to memory of 2876 2256 rundll32.exe 29 PID 2256 wrote to memory of 2876 2256 rundll32.exe 29 PID 2256 wrote to memory of 2876 2256 rundll32.exe 29 PID 2256 wrote to memory of 2876 2256 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43729648b032f8b8bf315299d8894237.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43729648b032f8b8bf315299d8894237.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2876
-