Overview

overview

7

Static

static

3

1184f38a5a...18.dll

windows7-x64

7

1184f38a5a...18.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2024 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1184f38a5ab591929c39dc6af3012d50_JaffaCakes118.dll

  • Size

    383KB

  • MD5

    1184f38a5ab591929c39dc6af3012d50

  • SHA1

    28d5e8bcfa8967ec69265fd851f948e185c541de

  • SHA256

    ae3de70319b20534d219ae86900c2d54498b91078f76aa4f1a86c6cdb12e6cc9

  • SHA512

    1d89eff0e925426e0deaa312c86e6286fcd6ea8e820caab1dbba8e3fdd43d66029e9b4df18115b5cbdb37f227c14ec1eda658ecc97b1539fbfc654ce23817263

  • SSDEEP

    6144:IRD4MlqMABEN37jt9ZA3H8DaLCw0w6LhMA8aF8pVqEDFqf1b/3C:IRZQOrcHwwH6tMzaFg8EDcf1r3C

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1184f38a5ab591929c39dc6af3012d50_JaffaCakes118.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3556
  • C:\Windows\system32\lpkinstall.exe
    C:\Windows\system32\lpkinstall.exe
    1⤵
      PID:3064
    • C:\Windows\system32\EhStorAuthn.exe
      C:\Windows\system32\EhStorAuthn.exe
      1⤵
        PID:4696
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\qeHAN2.cmd
        1⤵
          PID:2180
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6951e91e-6b9e-1a22-c633-d33824079498}"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:624
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6951e91e-6b9e-1a22-c633-d33824079498}"
            2⤵
              PID:2884
          • C:\Windows\system32\MDMAgent.exe
            C:\Windows\system32\MDMAgent.exe
            1⤵
              PID:4980
            • C:\Windows\system32\Netplwiz.exe
              C:\Windows\system32\Netplwiz.exe
              1⤵
                PID:3728
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Cvz.cmd
                1⤵
                • Drops file in System32 directory
                PID:1392
              • C:\Windows\System32\eventvwr.exe
                "C:\Windows\System32\eventvwr.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:3784
                • C:\Windows\system32\mmc.exe
                  "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:3392

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\Cvz.cmd
                Filesize

                194B

                MD5

                673e410d626b89d5171244a43c2f9d16

                SHA1

                05fd3730f0b16bdc20aec186b4a50e2f91ee9e42

                SHA256

                6c60fd4056b8c1a45469b792eeb633e66da3b0c8d1408c162b3adefda8e0f856

                SHA512

                414ff67eaa43b520cb552f1de5a177102e250f7b0618c381299548c8b87bccdb1e503dd5e0a4ec4782f993a87933dd3840c0473ae681bf7e1a57490386c8ba7b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\L5C88.tmp
                Filesize

                384KB

                MD5

                9486e414add9d77ecb52e859fc79885c

                SHA1

                4953a6ff6578a504af830477c0dd6930cc0deb80

                SHA256

                e10550ef7b7dd9c9f1bcfe856190e50f313a96f2605c61d5caeaf8408b1cbf8f

                SHA512

                b27391cfa19a2fd5b6613bacc3b9f0cf96dc230e001ac3c11092275c041624318daeec08562b163e37ac474aa5f23632284cb928e7e576cda7f8083418a3aec4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\g5AF1.tmp
                Filesize

                386KB

                MD5

                2f8eec17005e767e3092d23f8472c894

                SHA1

                e701bf4eb3846d184be7a03d0d2ab159597721f4

                SHA256

                3d3f54b18ef7ec24e3ac736f32618928284694fc7d7a10c909f035b3e04fd9ee

                SHA512

                e02ac55f5c0291702c5f9e20be8d7c2a1caa04b5b00431acc5a227ba485dfc514852c8f2e8cde447c16dff5596b1fbb099fbf744aa59caf4a444c95e1a60006b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\qeHAN2.cmd
                Filesize

                232B

                MD5

                26ce47bd9dcc7db2c5fe46ab65e164ab

                SHA1

                3b6cc6887f274ad2349c0b8a59bd5cce674defbc

                SHA256

                187860300a50d86a567673ddb0e788492751098de375aa636979c9c32b958442

                SHA512

                945fd2b241095340c9c600a3d35ef4a9a1d38ae23e7ee0e784a73b1841939a7d2b97a11b069b5dcb20560f8829d45d7fd9c28cf9c6f152b669a9f27de0fc7223

                Download Submit

              • C:\Users\Admin\AppData\Roaming\HCoza\EhStorAuthn.exe
                Filesize

                128KB

                MD5

                d45618e58303edb4268a6cca5ec99ecc

                SHA1

                1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

                SHA256

                d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

                SHA512

                5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kqgfxymewp.lnk
                Filesize

                922B

                MD5

                9a9efb0a4b8de820a3ac47c807bddd90

                SHA1

                7749ee9b0c8273aa2072c7ddce4de07808e710f7

                SHA256

                f894163bc7a9ce402803ccd84e7682112f9f68e897d9d731faa3378f1cb8aeee

                SHA512

                975a3d3eaf7a0d2e7972baf163d4e89f4b3f53f753e22aa527472da277a8737bd63c35fb42f665a58e2263626369a9dc90b46e8c3f6659d3d4280094d5b558fd

                Download Submit

              • memory/3392-65-0x00007FFFD7200000-0x00007FFFD7CC1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3392-57-0x00007FF4A1A40000-0x00007FF4A1A50000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3392-56-0x000000001D910000-0x000000001D920000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3392-55-0x000000001D910000-0x000000001D920000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3392-54-0x000000001D910000-0x000000001D920000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3392-53-0x00007FFFD7200000-0x00007FFFD7CC1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3392-59-0x000000001D910000-0x000000001D920000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3392-83-0x000000001D910000-0x000000001D920000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3392-93-0x00007FF4A1A40000-0x00007FF4A1A50000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3392-103-0x000000001D910000-0x000000001D920000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3512-14-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-12-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-34-0x00007FFFF5DC0000-0x00007FFFF5DD0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3512-23-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-17-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-16-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-43-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-10-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-11-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-32-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-13-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-3-0x00000000025B0000-0x00000000025B1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3512-15-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-9-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-7-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-8-0x000000007C000000-0x000000007C065000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3512-6-0x00007FFFF5D1A000-0x00007FFFF5D1B000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3556-5-0x000000005E8C0000-0x000000005E925000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3556-0-0x000000005E8C0000-0x000000005E925000-memory.dmp

                Filesize

                404KB

                Download

              • memory/3556-2-0x000001F65DB70000-0x000001F65DB73000-memory.dmp

                Filesize

                12KB

                Download