Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 08:24
Behavioral task
behavioral1
Sample
b28ec8dfc75e583da59b0e3037417604_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b28ec8dfc75e583da59b0e3037417604_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
b28ec8dfc75e583da59b0e3037417604_JaffaCakes118.dll
-
Size
92KB
-
MD5
b28ec8dfc75e583da59b0e3037417604
-
SHA1
00e78c4a979358f6dedb658bdfff0f5b8853c417
-
SHA256
67c50459db7f0042d7e1a96ce113e60f0179978dfe810bdb0f5320a092ce3b71
-
SHA512
6412a0b91561cd4249428132285eb40f42f769248617f0f19332345b1338893afc6ed606e4333847b9cdee495d1fb508c863646ad8173055841bb6848e8cca75
-
SSDEEP
1536:ARRRRRRRRRRRRheeXrmWS56pPJ9kQ4oWeYMqqU+2bbbAV2/S2TOKyGBUd:irZa6pPEQhYMqqDL2/TOK
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1964 rundll32.exe 1964 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1684 wrote to memory of 1964 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1964 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1964 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1964 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1964 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1964 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1964 1684 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b28ec8dfc75e583da59b0e3037417604_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b28ec8dfc75e583da59b0e3037417604_JaffaCakes118.dll,#12⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses