474fe0f75ec639814eac17468c8ce29908ed30f3665457d864cffa6540047ea0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll
Size

2.2MB
MD5

feb0bf5b0d7f6820c330fa45091cd189
SHA1

a1f50429415bc7cbf1706c22dfdca734173fb9ac
SHA256

474fe0f75ec639814eac17468c8ce29908ed30f3665457d864cffa6540047ea0
SHA512

07f208c66899c0f298037dd8aab4d772e2ef6321a36519112e5d677170a58ee19d69e8a397ae0cb485cc1f2c71d82b55c004d96cf40c459fbda3b405602670f8
SSDEEP

24576:52WdDKT6lr1CDu2ruh59hmxxJNOjOAUBJjlD4qH5vlalua2UotfG6o:53DlBEidgxJN5AejlD4uvlab2UotfG

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe vchelp.exe"	Regedit.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\guFgF0yg.dll	rundll32.exe
File created	C:\windows\SysWOW64\VDHJBG.DLL	rundll32.exe
File created	C:\windows\SysWOW64\WLRUKOUTHLOO.LDO	rundll32.exe
File created	C:\Windows\SysWOW64\guFgF0yg.dll	rundll32.exe
File created	C:\windows\SysWOW64\IJJAQTYACAZX.DLL	rundll32.exe
File created	C:\WINDOWS\SysWOW64\wbem\RPUTKQQQUXRRL.MDA	rundll32.exe
File opened for modification	C:\WINDOWS\SysWOW64\wbem\RPUTKQQQUXRRL.MDA	rundll32.exe
File created	C:\Windows\SysWOW64\arun.reg	rundll32.exe
File opened for modification	C:\windows\SysWOW64\IJJAQTYACAZX.DLL	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2408	Regedit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2472	2340	rundll32.exe	28
PID 2340 wrote to memory of 2472	2340	rundll32.exe	28
PID 2340 wrote to memory of 2472	2340	rundll32.exe	28
PID 2340 wrote to memory of 2472	2340	rundll32.exe	28
PID 2340 wrote to memory of 2472	2340	rundll32.exe	28
PID 2340 wrote to memory of 2472	2340	rundll32.exe	28
PID 2340 wrote to memory of 2472	2340	rundll32.exe	28
PID 2472 wrote to memory of 2608	2472	rundll32.exe	29
PID 2472 wrote to memory of 2608	2472	rundll32.exe	29
PID 2472 wrote to memory of 2608	2472	rundll32.exe	29
PID 2472 wrote to memory of 2608	2472	rundll32.exe	29
PID 2472 wrote to memory of 2408	2472	rundll32.exe	31
PID 2472 wrote to memory of 2408	2472	rundll32.exe	31
PID 2472 wrote to memory of 2408	2472	rundll32.exe	31
PID 2472 wrote to memory of 2408	2472	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\~Delbat01.bat
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\Regedit.exe
    Regedit.exe /s "C:\Windows\SysWOW64\arun.reg"
    3⤵
    - Modifies WinLogon for persistence
    - Runs .reg file with regedit
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\~Delbat01.bat

Filesize
155B

MD5
ce29ce092d95c693db33cbeaee2aae9b

SHA1
848b943115c42dd63e4d4f3b722d39b55276e746

SHA256
eb2db8dd6eb8ebc05d9041713dfc40641e57b941e408ee2ac28bf4aea660165c

SHA512
66a8b3150bfd276162ab41497619fd25529f30912c412275fc25d56963c2bdae632226d84539562fb85a67083480b11d6bfba3cd2593f47b1ce315568a877aff

Download Submit
C:\Windows\SysWOW64\arun.reg

Filesize
149B

MD5
adfc8b71e83fe2857ee9679492f69327

SHA1
691d668a9bafd29397d07d40f7a9835c2a69995b

SHA256
ce08d9de9b28cee3e147505a99335f3b7f5ab1b82dc009032864c0c1b911cd3c

SHA512
13f37167233bf6b00c0f23174e336f7abfbcded6e7bf8d6d5d146459a74f03cfe96a6e414d5ebfe55967be4c02a3f4e6f23cc2c5333180338a45ad7507ced822

Download Submit
C:\Windows\SysWOW64\guFgF0yg.dll

Filesize
1KB

MD5
9270fe4dd364e2ecb28d06a79a01e545

SHA1
d685712fd0670950322d0b2096ea6c8f72d7399e

SHA256
67492e722bb436d328daab8e75325599ae95b14164ccf2d2804ee1f48a2c5789

SHA512
849b4bb9823be7e9e8d46a4cfc94e5dfceaddfa32d4646b18137d0e52d57e3c9444a441f788d9dd6d407756c4fa00d8452c49a3b6e28dc9154a55c17fbc9837f

Download Submit
memory/2472-0-0x0000000002110000-0x0000000002343000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads