Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 18:13
Behavioral task
behavioral1
Sample
1c0225bdf8e7c7fc956ab3d212e75c10_JaffaCakes118.dll
Resource
win7-20240611-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
1c0225bdf8e7c7fc956ab3d212e75c10_JaffaCakes118.dll
Resource
win10v2004-20240611-en
5 signatures
150 seconds
General
-
Target
1c0225bdf8e7c7fc956ab3d212e75c10_JaffaCakes118.dll
-
Size
524KB
-
MD5
1c0225bdf8e7c7fc956ab3d212e75c10
-
SHA1
bec5cf0c2ab8802229ef5c27a28f021db3241ff8
-
SHA256
6fe20ff062b6984db3b53409681f9effd51ba1f8d52583ba932148ebdf753435
-
SHA512
3b31ede8b4296c7b660fcd9f9aee9480e211bd9e438165888cee3e7e45a286281e46fcfac975a6f5c7051b3b536b8b318331400219a98bb23361366f38d86f95
-
SSDEEP
12288:P3dia0V/LcQzxKfptPZ8aS833molJV4N5SMsD2Ksy/LWC21W:x0V/LvzwRoSmolJV46MesKLf21W
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 860 rundll32.exe 3 860 rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/860-2-0x0000000010000000-0x0000000010084000-memory.dmp vmprotect behavioral1/memory/860-1-0x0000000010000000-0x0000000010084000-memory.dmp vmprotect behavioral1/memory/860-0-0x0000000010000000-0x0000000010084000-memory.dmp vmprotect behavioral1/memory/860-3-0x0000000010000000-0x0000000010084000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\tlconfig.ini rundll32.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2520 wmic.exe Token: SeSecurityPrivilege 2520 wmic.exe Token: SeTakeOwnershipPrivilege 2520 wmic.exe Token: SeLoadDriverPrivilege 2520 wmic.exe Token: SeSystemProfilePrivilege 2520 wmic.exe Token: SeSystemtimePrivilege 2520 wmic.exe Token: SeProfSingleProcessPrivilege 2520 wmic.exe Token: SeIncBasePriorityPrivilege 2520 wmic.exe Token: SeCreatePagefilePrivilege 2520 wmic.exe Token: SeBackupPrivilege 2520 wmic.exe Token: SeRestorePrivilege 2520 wmic.exe Token: SeShutdownPrivilege 2520 wmic.exe Token: SeDebugPrivilege 2520 wmic.exe Token: SeSystemEnvironmentPrivilege 2520 wmic.exe Token: SeRemoteShutdownPrivilege 2520 wmic.exe Token: SeUndockPrivilege 2520 wmic.exe Token: SeManageVolumePrivilege 2520 wmic.exe Token: 33 2520 wmic.exe Token: 34 2520 wmic.exe Token: 35 2520 wmic.exe Token: SeIncreaseQuotaPrivilege 2520 wmic.exe Token: SeSecurityPrivilege 2520 wmic.exe Token: SeTakeOwnershipPrivilege 2520 wmic.exe Token: SeLoadDriverPrivilege 2520 wmic.exe Token: SeSystemProfilePrivilege 2520 wmic.exe Token: SeSystemtimePrivilege 2520 wmic.exe Token: SeProfSingleProcessPrivilege 2520 wmic.exe Token: SeIncBasePriorityPrivilege 2520 wmic.exe Token: SeCreatePagefilePrivilege 2520 wmic.exe Token: SeBackupPrivilege 2520 wmic.exe Token: SeRestorePrivilege 2520 wmic.exe Token: SeShutdownPrivilege 2520 wmic.exe Token: SeDebugPrivilege 2520 wmic.exe Token: SeSystemEnvironmentPrivilege 2520 wmic.exe Token: SeRemoteShutdownPrivilege 2520 wmic.exe Token: SeUndockPrivilege 2520 wmic.exe Token: SeManageVolumePrivilege 2520 wmic.exe Token: 33 2520 wmic.exe Token: 34 2520 wmic.exe Token: 35 2520 wmic.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2248 wrote to memory of 860 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 860 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 860 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 860 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 860 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 860 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 860 2248 rundll32.exe rundll32.exe PID 860 wrote to memory of 2520 860 rundll32.exe wmic.exe PID 860 wrote to memory of 2520 860 rundll32.exe wmic.exe PID 860 wrote to memory of 2520 860 rundll32.exe wmic.exe PID 860 wrote to memory of 2520 860 rundll32.exe wmic.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1c0225bdf8e7c7fc956ab3d212e75c10_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1c0225bdf8e7c7fc956ab3d212e75c10_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic process 860 call terminate3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/860-2-0x0000000010000000-0x0000000010084000-memory.dmpFilesize
528KB
-
memory/860-1-0x0000000010000000-0x0000000010084000-memory.dmpFilesize
528KB
-
memory/860-0-0x0000000010000000-0x0000000010084000-memory.dmpFilesize
528KB
-
memory/860-3-0x0000000010000000-0x0000000010084000-memory.dmpFilesize
528KB