Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 13:31
Behavioral task
behavioral1
Sample
JaffaCakes118_98bdfe850392488fdf9c095dec277d7a.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_98bdfe850392488fdf9c095dec277d7a.dll
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_98bdfe850392488fdf9c095dec277d7a.dll
-
Size
92KB
-
MD5
98bdfe850392488fdf9c095dec277d7a
-
SHA1
a5955cee800b82cb4f4960022a458aa6315e7bdd
-
SHA256
8ccd60bef0c3fec91c51f3ac7c473d342b6dc6145f3267f0f780afeebf726380
-
SHA512
e71dc8483fac2b70db688ecb31932d4ec80cb9d559151910136ebd60c6a2beea5a7daaa25105957851c1834d636741d6ee950a4226959539db4c0830d6b93cc7
-
SSDEEP
1536:zShWgnBHBqL2uPj+v/9qYziQnk2E4C11O/FmHTD34CYYhh9QIZ5O8hvEnmnt:+WgBHBqS9qYziQnXEd11lheIZ5lwm
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 1232 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDLL (nnetstats.exe) = "rundll32.exe C:\\Windows\\system32\\nnetstats.exe,start" rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\nnetstats.exe rundll32.exe File opened for modification C:\Windows\SysWOW64\nnetstats.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1068 wrote to memory of 1728 1068 rundll32.exe 85 PID 1068 wrote to memory of 1728 1068 rundll32.exe 85 PID 1068 wrote to memory of 1728 1068 rundll32.exe 85 PID 1728 wrote to memory of 1232 1728 rundll32.exe 89 PID 1728 wrote to memory of 1232 1728 rundll32.exe 89 PID 1728 wrote to memory of 1232 1728 rundll32.exe 89 PID 1728 wrote to memory of 5716 1728 rundll32.exe 90 PID 1728 wrote to memory of 5716 1728 rundll32.exe 90 PID 1728 wrote to memory of 5716 1728 rundll32.exe 90 PID 5420 wrote to memory of 776 5420 cmd.exe 92 PID 5420 wrote to memory of 776 5420 cmd.exe 92
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98bdfe850392488fdf9c095dec277d7a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98bdfe850392488fdf9c095dec277d7a.dll,#12⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\system32\nnetstats.exe,start3⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uninstall.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\nnetstats.exe,start1⤵
- Suspicious use of WriteProcessMemory
PID:5420 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\nnetstats.exe,start2⤵PID:776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD55cb9814c38b335962a9c1292c26ee88c
SHA195a4ae5bb6dc8f29f875bab1e4b947ab76d70874
SHA25616b78937aef1d0cb149ac3f485b1b637c98f053a99bfa67b0ddbe5cffb2ea90e
SHA512e7a60d7512da95659f131345df69b26b7947a6599606aac7436865192eb5513417531d6617f2e88c4db61467a7ebf6fdfc6862eb5ff361ac4695c8d0625fb2a4
-
Filesize
92KB
MD598bdfe850392488fdf9c095dec277d7a
SHA1a5955cee800b82cb4f4960022a458aa6315e7bdd
SHA2568ccd60bef0c3fec91c51f3ac7c473d342b6dc6145f3267f0f780afeebf726380
SHA512e71dc8483fac2b70db688ecb31932d4ec80cb9d559151910136ebd60c6a2beea5a7daaa25105957851c1834d636741d6ee950a4226959539db4c0830d6b93cc7