Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 11:41
Behavioral task
behavioral1
Sample
841ae0d54eea85a74707df444d53fd6a_JaffaCakes118.dll
Resource
win7-20231129-en
4 signatures
150 seconds
General
-
Target
841ae0d54eea85a74707df444d53fd6a_JaffaCakes118.dll
-
Size
1.3MB
-
MD5
841ae0d54eea85a74707df444d53fd6a
-
SHA1
ad45b52be3de723952c15b0a8839f83714aed0e3
-
SHA256
915440164a173d49d3a0d9b84d9705cf47105272ca98109abcd0128dd0cfaeaf
-
SHA512
5c5ed3c4b84b423c53a03bef575270f5974065294f6e993debe59570f08b562b48a2d80312342bf9efdf21d2bdfe59817e27985351b058dcc9bc672fdcce78e0
-
SSDEEP
24576:56auUvMeSA11gE6oqn3UdIWR+90fEMPCvZoi6568zDGfV6nwtmbxL9:J73d1o3Gdn1L9
Malware Config
Extracted
Family
danabot
C2
73.48.92.89
193.144.40.26
219.30.45.197
95.179.168.37
151.236.14.84
142.181.133.99
234.63.35.120
74.12.197.16
85.229.148.210
117.69.242.3
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 9 IoCs
Processes:
rundll32.exeflow pid process 3 3672 rundll32.exe 16 3672 rundll32.exe 23 3672 rundll32.exe 24 3672 rundll32.exe 36 3672 rundll32.exe 40 3672 rundll32.exe 41 3672 rundll32.exe 48 3672 rundll32.exe 49 3672 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 712 4384 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 972 wrote to memory of 4384 972 rundll32.exe rundll32.exe PID 972 wrote to memory of 4384 972 rundll32.exe rundll32.exe PID 972 wrote to memory of 4384 972 rundll32.exe rundll32.exe PID 4384 wrote to memory of 3672 4384 rundll32.exe rundll32.exe PID 4384 wrote to memory of 3672 4384 rundll32.exe rundll32.exe PID 4384 wrote to memory of 3672 4384 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\841ae0d54eea85a74707df444d53fd6a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\841ae0d54eea85a74707df444d53fd6a_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\841ae0d54eea85a74707df444d53fd6a_JaffaCakes118.dll,f03⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 7963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4384 -ip 43841⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3672-2-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/3672-4-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/3672-6-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/4384-0-0x00000000022D0000-0x0000000002435000-memory.dmpFilesize
1.4MB
-
memory/4384-1-0x00000000022D0000-0x0000000002435000-memory.dmpFilesize
1.4MB