e38532aad249fd6a082861afbd0050098df0679a1ae4aa2e1af36c06dc363d3c

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0740c9e2113a54bc9a9f998dd7cdf91e_JaffaCakes118.dll
Size

12.1MB
MD5

0740c9e2113a54bc9a9f998dd7cdf91e
SHA1

9c786be88d160c3ea6c22a4b8b9911c83fb165c4
SHA256

e38532aad249fd6a082861afbd0050098df0679a1ae4aa2e1af36c06dc363d3c
SHA512

1b722e3acfe6910ccba13029478d93c2c2449a94c9abb0cd999d9a83014ab6bcdbe7c3348ce9dbe379df3ffdb57a20616fe3f52a374d85fbf4a2206a1fcd05f5
SSDEEP

393216:s4KW+RNqepWdL0yiP4c4toPFcj9hH02JAX:5KW+7qyWde4c3PA9hUTX

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-0-0x00000000000D0000-0x00000000000E8000-memory.dmp	upx
behavioral1/memory/1724-4-0x00000000000D0000-0x00000000000E8000-memory.dmp	upx
behavioral1/memory/1724-664-0x00000000000D0000-0x00000000000E8000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2732	sc.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Appearance\Schemes	rundll32.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1724	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1724	1928	rundll32.exe	28
PID 1928 wrote to memory of 1724	1928	rundll32.exe	28
PID 1928 wrote to memory of 1724	1928	rundll32.exe	28
PID 1928 wrote to memory of 1724	1928	rundll32.exe	28
PID 1928 wrote to memory of 1724	1928	rundll32.exe	28
PID 1928 wrote to memory of 1724	1928	rundll32.exe	28
PID 1928 wrote to memory of 1724	1928	rundll32.exe	28
PID 1724 wrote to memory of 2208	1724	rundll32.exe	29
PID 1724 wrote to memory of 2208	1724	rundll32.exe	29
PID 1724 wrote to memory of 2208	1724	rundll32.exe	29
PID 1724 wrote to memory of 2208	1724	rundll32.exe	29
PID 2208 wrote to memory of 2732	2208	cmd.exe	31
PID 2208 wrote to memory of 2732	2208	cmd.exe	31
PID 2208 wrote to memory of 2732	2208	cmd.exe	31
PID 2208 wrote to memory of 2732	2208	cmd.exe	31
PID 1724 wrote to memory of 2544	1724	rundll32.exe	32
PID 1724 wrote to memory of 2544	1724	rundll32.exe	32
PID 1724 wrote to memory of 2544	1724	rundll32.exe	32
PID 1724 wrote to memory of 2544	1724	rundll32.exe	32
PID 2544 wrote to memory of 2664	2544	cmd.exe	34
PID 2544 wrote to memory of 2664	2544	cmd.exe	34
PID 2544 wrote to memory of 2664	2544	cmd.exe	34
PID 2544 wrote to memory of 2664	2544	cmd.exe	34
PID 2664 wrote to memory of 2676	2664	net.exe	35
PID 2664 wrote to memory of 2676	2664	net.exe	35
PID 2664 wrote to memory of 2676	2664	net.exe	35
PID 2664 wrote to memory of 2676	2664	net.exe	35
PID 1724 wrote to memory of 2656	1724	rundll32.exe	36
PID 1724 wrote to memory of 2656	1724	rundll32.exe	36
PID 1724 wrote to memory of 2656	1724	rundll32.exe	36
PID 1724 wrote to memory of 2656	1724	rundll32.exe	36
PID 2656 wrote to memory of 2372	2656	cmd.exe	38
PID 2656 wrote to memory of 2372	2656	cmd.exe	38
PID 2656 wrote to memory of 2372	2656	cmd.exe	38
PID 2656 wrote to memory of 2372	2656	cmd.exe	38
PID 2372 wrote to memory of 2532	2372	net.exe	39
PID 2372 wrote to memory of 2532	2372	net.exe	39
PID 2372 wrote to memory of 2532	2372	net.exe	39
PID 2372 wrote to memory of 2532	2372	net.exe	39
PID 1724 wrote to memory of 2436	1724	rundll32.exe	41
PID 1724 wrote to memory of 2436	1724	rundll32.exe	41
PID 1724 wrote to memory of 2436	1724	rundll32.exe	41
PID 1724 wrote to memory of 2436	1724	rundll32.exe	41
PID 1724 wrote to memory of 2436	1724	rundll32.exe	41
PID 1724 wrote to memory of 2436	1724	rundll32.exe	41
PID 1724 wrote to memory of 2436	1724	rundll32.exe	41
PID 1724 wrote to memory of 1016	1724	rundll32.exe	45
PID 1724 wrote to memory of 1016	1724	rundll32.exe	45
PID 1724 wrote to memory of 1016	1724	rundll32.exe	45
PID 1724 wrote to memory of 1016	1724	rundll32.exe	45
PID 1016 wrote to memory of 2560	1016	cmd.exe	47
PID 1016 wrote to memory of 2560	1016	cmd.exe	47
PID 1016 wrote to memory of 2560	1016	cmd.exe	47
PID 1016 wrote to memory of 2560	1016	cmd.exe	47
PID 2560 wrote to memory of 2672	2560	net.exe	48
PID 2560 wrote to memory of 2672	2560	net.exe	48
PID 2560 wrote to memory of 2672	2560	net.exe	48
PID 2560 wrote to memory of 2672	2560	net.exe	48
PID 1724 wrote to memory of 2668	1724	rundll32.exe	49
PID 1724 wrote to memory of 2668	1724	rundll32.exe	49
PID 1724 wrote to memory of 2668	1724	rundll32.exe	49
PID 1724 wrote to memory of 2668	1724	rundll32.exe	49
PID 2668 wrote to memory of 1392	2668	cmd.exe	51
PID 2668 wrote to memory of 1392	2668	cmd.exe	51

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0740c9e2113a54bc9a9f998dd7cdf91e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0740c9e2113a54bc9a9f998dd7cdf91e_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc config "UxSms" start= demand
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\sc.exe
      sc config "UxSms" start= demand
      4⤵
      Launches sc.exe
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net stop "Desktop Window Manager Session Manager"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\net.exe
      net stop "Desktop Window Manager Session Manager"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
        5⤵
        
        PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net start "Desktop Window Manager Session Manager"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\net.exe
      net start "Desktop Window Manager Session Manager"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
        5⤵
        
        PID:2532
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
    3⤵
    - Modifies Control Panel
    PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net stop "Desktop Window Manager Session Manager"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\SysWOW64\net.exe
      net stop "Desktop Window Manager Session Manager"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
        5⤵
        
        PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net start "Desktop Window Manager Session Manager"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\net.exe
      net start "Desktop Window Manager Session Manager"
      4⤵
      PID:1392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
        5⤵
        
        PID:1872
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
    3⤵
    - Modifies Control Panel
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\net.exe
      net stop "Desktop Window Manager Session Manager"
      4⤵
      PID:2464
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
        5⤵
        
        PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net start "Desktop Window Manager Session Manager"
    3⤵
    PID:3048
  - - C:\Windows\SysWOW64\net.exe
      net start "Desktop Window Manager Session Manager"
      4⤵
      PID:2940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
        5⤵
        
        PID:2944

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:956

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1820

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
29e0e345438882a935d2c0baff457f6c

SHA1
aef4d88c8c81bc9d9440e1f94f792f6ab83e2b5a

SHA256
0c127592f7670047d0b1928fede6ecf7c827b9e8086500b23756e5c02d09a4c6

SHA512
8b87df27f7edc9328debeb3a0f68468d1d46615122e815d03330a9682776f85a47ef37889fc210fb28e56d91bf8cf0f0e594f90c3eaff5827dfd57b97a0b359b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
159bd6a587f370f16522b2a6f690bcc3

SHA1
c07d14fc439997e2f65b982c0702a985b36b9cf8

SHA256
9193c9b28f4e19c5fbd00340dce578825fbc6ce6ab67b1c9082c0d8f64446993

SHA512
a1ddc058193d778b3935ef8f158bb06f014de72124d5561a4d7af99e77921bcfe5ffcb24a1375917d5e438e0f2a1dccb96c1bdc2fa5b6aaf75ca5cabe1788e46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
7c048eaacd1820ac933dccc0b872fa05

SHA1
955999eb7463f7e4031d551e24fbd1e1fb812197

SHA256
614d7a9ca519b3aa741a512e95f6f99aedd25e8c1630d30d13dd9735b562b3be

SHA512
09f35a1a69344e64b13f0a54ecc82cd7dd1ee9124bfc274fcd5fe8af2a07e30bbf0841d9230591cbbe12bc8f066f5f36e1577b82d5d1f3f0eb6b9b5154ce5d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
05471356f0ea1c0f5f5b8deb29c3ebd1

SHA1
12b14b737d1e0f76ca2494fb7a6841e5792a0504

SHA256
cf59479c75a8803468dd2a2c1d2803a2694c41992d5a0b3b65b1c69c28d1eac7

SHA512
942285259612792c2b3a45a65483e0775314841e397e815d447fd8f69f63f5de1ac48653a051c0121bd73415655c468772d39ce72bb1ba3d8ae367f78143502b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
b65aeb1b3da0b96313cc6e10dde4afe0

SHA1
34039989280d6d5a45793deaab79665c79b74b8d

SHA256
0254d776e25aeb83f195aacc7d477cd37683932586b27fdb7f09836d08296a3c

SHA512
be5c22848ee3491061feaab9c8e708e04e5d34bc0d8b46e816e059e6616c0114cfe5f40aee935f9d5dee546a990efa3bca00bdec03bcc29fedad37d0dbda95ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
020570a88c0692f7f3d1d42379058765

SHA1
bef5e581e4c7ef4f171c165911145dca9c68287e

SHA256
16efc91532dc5d3d151ce5bdb882e6831d562a54bf8592c31052159ce929cddb

SHA512
1f47d19f8f2dc77e7ab9fa12b096bb41600f84b67cc22fd41886b9a759c32c3565db23a1dfe039a1d376ffe7d510b3603f0acc5df14886d254235329e074ef9e

Download Submit
memory/1724-3-0x0000000075BB0000-0x0000000075CC0000-memory.dmp

Filesize
1.1MB

Download
memory/1724-4-0x00000000000D0000-0x00000000000E8000-memory.dmp

Filesize
96KB

Download
memory/1724-0-0x00000000000D0000-0x00000000000E8000-memory.dmp

Filesize
96KB

Download
memory/1724-2-0x0000000002600000-0x0000000002A41000-memory.dmp

Filesize
4.3MB

Download
memory/1724-1-0x0000000035BB0000-0x0000000035BC0000-memory.dmp

Filesize
64KB

Download
memory/1724-663-0x0000000002600000-0x0000000002A41000-memory.dmp

Filesize
4.3MB

Download
memory/1724-664-0x00000000000D0000-0x00000000000E8000-memory.dmp

Filesize
96KB

Download
memory/1724-665-0x0000000075BB0000-0x0000000075CC0000-memory.dmp

Filesize
1.1MB

Download