Analysis
-
max time kernel
103s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 17:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_8e885af41b57f66b0c170e8ca085a159.dll
Resource
win7-20250207-en
4 signatures
150 seconds
General
-
Target
JaffaCakes118_8e885af41b57f66b0c170e8ca085a159.dll
-
Size
566KB
-
MD5
8e885af41b57f66b0c170e8ca085a159
-
SHA1
2a9bcaa5a593055e17a77fb8bae45783c99de8c4
-
SHA256
77a0c90db93a612d4ebe697bb8548f5ca27522b8f426267ff47ba8af421dd545
-
SHA512
08d19a52f39a2ee0f17c27f9f21c873d373e44ca1a9696b840412195db7b772541fce06d83dbc8cc7de4bd67a96fa0036f9a3d94b144b77f0619230eeb8f3c72
-
SSDEEP
3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0Z:jDgtfRQUHPw06MoV2nwTBlhm8x
Malware Config
Signatures
-
Yunsip family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4044 wrote to memory of 1336 4044 rundll32.exe 87 PID 4044 wrote to memory of 1336 4044 rundll32.exe 87 PID 4044 wrote to memory of 1336 4044 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e885af41b57f66b0c170e8ca085a159.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e885af41b57f66b0c170e8ca085a159.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:1336
-