Overview

overview

8

Static

static

3

04880fd0b2...18.dll

windows7-x64

8

04880fd0b2...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04880fd0b2663d31f63141ad83948d11_JaffaCakes118.dll

  • Size

    14KB

  • MD5

    04880fd0b2663d31f63141ad83948d11

  • SHA1

    64c535757dc7d41cd82710e4202f0ac9e17412cd

  • SHA256

    378d720ecbe3e27ae283257f0e15bebbfabab4610c929a91a1b19226d3e787e5

  • SHA512

    cc5e1f252222965180c6347107b665430a448de122d0934f5a512fa1ab90d56720669ab7a0ee6ad1481f239815512bb0d02377556a527c9df0e0819cfed9a22a

  • SSDEEP

    384:d94Q5CpkV+svcYEe5JJblqdOI3H+eQwxZ6//WiP9LmSB+cllklN:d9HCRybEKlgOIOdwvm/W0xAN

Score
8/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\04880fd0b2663d31f63141ad83948d11_JaffaCakes118.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\04880fd0b2663d31f63141ad83948d11_JaffaCakes118.dll,#1
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1184-4-0x0000000002E80000-0x0000000002E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-2-0x0000000025012000-0x0000000025013000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-1-0x0000000025000000-0x000000002501A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1816-0-0x0000000025000000-0x000000002501A000-memory.dmp

      Filesize

      104KB

      Download