Overview

overview

7

Static

static

3

7e42b85a3c...18.dll

windows7-x64

Resubmissions

28-05-2024 20:22

240528-y5vrgaag9x 7

28-05-2024 20:21

240528-y5eegsag7y 7

28-05-2024 20:15

240528-y13arabg59 10

Analysis

  • max time kernel
    25s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 20:22

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    7e42b85a3c28e4d3fd1928efbb1b1716

  • SHA1

    5b9550a8987cf92b4cef087122199c716b39a7d5

  • SHA256

    824eb4ff3cf95ff179fff5e2f0f1cf01db9a4c70e0106177f40492310aa8d1f5

  • SHA512

    2dbbb1b1d48a9c3133a9a97394820ddf5a96a0dc7b75de6d70cc19e544a5add1b295c7b4eaae13fbe9dba848ef4b977c37d3a93e92084866fdbbe7bc5d000912

  • SSDEEP

    98304:+DqPoBhzLk36SAEdhvxWa9P593R8yAVp2H:+DqPeLk3ZAEUadzR8yc4H

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates system info in registry 2 TTPs 32 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        PID:2828
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2564
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:2864
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Windows\system32\utilman.exe
        utilman.exe /debug
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:1880
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
        PID:2424
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1444

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\mssecsvc.exe
          Filesize

          3.6MB

          MD5

          b8fb46d2a1f577db36856c3277f76976

          SHA1

          88cccd52b450ce1e4abdd01674aa9c075c80d561

          SHA256

          25010e5504c35ed06b313a98f1726352fec33d7c4e6908214867b28e149edb09

          SHA512

          36e958c71ae9f42227f7f30268e87dccb7f3533e4871bc08899b5310effe0d12db4277940e090e60f0818405a2cde879d32920125b51b7edbbf949f48f84799c

          Download Submit
        • memory/2564-6-0x0000000002E10000-0x0000000002E11000-memory.dmp
          Filesize

          4KB

          Download