Analysis
-
max time kernel
130s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 19:23
General
-
Target
6c038e685bc79b14f7a8d021172fccb2_JaffaCakes118.dll
-
Size
96KB
-
MD5
6c038e685bc79b14f7a8d021172fccb2
-
SHA1
879eb98a697cfc932bf8b69356e3564d477c4567
-
SHA256
1a1f96760887c076a2a656cd841b46bb2c24cf6f49545af26772cd6c7a652aea
-
SHA512
22c10a461f581b0c4269aebdecb87fba8e1896a35771c0195f206b11c19a32f0316926cbfb9096c025fc71b13e8eb3f12c972577e64996e78d9c42d621e41152
-
SSDEEP
1536:DqN5DQW3dIw5z/c1CHDV2bTRrcuqjNnT3dPbxM/4xoT0dt+t:wNIwhkeMbTRAjjFKm4
Score
10/10
Malware Config
Extracted
Family
cobaltstrike
C2
http://opncloud.net:443/full-beta.crl
Attributes
-
user_agent
User-Agent: Microsoft-CryptoAPI /10.0 Accept-Encoding: identity Host: opncloud.net
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6c038e685bc79b14f7a8d021172fccb2_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c set ehlmjYTHBB=682 & reg add HKCU\SOFTWARE\ikOGWhMCdq /v gLPckSZwUoi /t REG_DWORD /d 3192 & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\SOFTWARE\ikOGWhMCdq /v gLPckSZwUoi /t REG_DWORD /d 31923⤵
- Modifies registry key
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
128KB