Analysis
-
max time kernel
1s -
max time network
2s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 08:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1aa4726e4429d5e566548770dfa6a08f_JaffaCakes118.dll
Resource
win7-20240611-en
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
1aa4726e4429d5e566548770dfa6a08f_JaffaCakes118.dll
Resource
win10v2004-20240611-en
3 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
1aa4726e4429d5e566548770dfa6a08f_JaffaCakes118.dll
-
Size
2KB
-
MD5
1aa4726e4429d5e566548770dfa6a08f
-
SHA1
537c79aeb1001ebce122f8849fc4bcd7563a09bd
-
SHA256
b3b5a7be0903155be5cc3b443e40223897802c43c9e5fa0b3e3bda3ee182be39
-
SHA512
28f815395c20f55270b0dc49147fda75ca50defa9cf4dca066626ac5f06798124dc3e7db36e06859eabf5a33bc67187c938457668ca7e38a6ec716952cf7372c
Score
6/10
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeShutdownPrivilege 2656 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 940 wrote to memory of 2656 940 rundll32.exe rundll32.exe PID 940 wrote to memory of 2656 940 rundll32.exe rundll32.exe PID 940 wrote to memory of 2656 940 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa4726e4429d5e566548770dfa6a08f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa4726e4429d5e566548770dfa6a08f_JaffaCakes118.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken