8e1f30fb6f050f39576aa89ecef32669971d2d45b6e77fb22f59da72120656c5

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07a2323a683c85dca6ce24ecdc538daf_JaffaCakes118.dll
Size

18KB
MD5

07a2323a683c85dca6ce24ecdc538daf
SHA1

4cb6dc5108a38ec17d3a0b2e43705efe8de1bcee
SHA256

8e1f30fb6f050f39576aa89ecef32669971d2d45b6e77fb22f59da72120656c5
SHA512

47511e641d84137debdef14213ab57c6bebb288e4db17232f15998f8d97391739edcaec0e2ee21a6a451f53cf2a2672488849e4a22cdd21456b056bf775df14a
SSDEEP

384:JVAvSfPYMl0lnya6wZaXYKQx+gGEtRjGJgwR+r9gC:Jmod0ly+WYXkgGVgQ29d

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000d000000012336-5.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2464-0-0x0000000010000000-0x0000000010015000-memory.dmp	upx
behavioral1/files/0x000d000000012336-5.dat	upx
behavioral1/memory/2744-10-0x0000000010000000-0x0000000010015000-memory.dmp	upx
behavioral1/memory/2464-19-0x0000000010000000-0x0000000010015000-memory.dmp	upx
behavioral1/memory/2744-21-0x0000000010000000-0x0000000010015000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDLL (bee.dll) = "rundll32.exe C:\\Windows\\system32\\bee.dll,start"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bee.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\bee.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	rundll32.exe
2464	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2464	840	rundll32.exe	28
PID 840 wrote to memory of 2464	840	rundll32.exe	28
PID 840 wrote to memory of 2464	840	rundll32.exe	28
PID 840 wrote to memory of 2464	840	rundll32.exe	28
PID 840 wrote to memory of 2464	840	rundll32.exe	28
PID 840 wrote to memory of 2464	840	rundll32.exe	28
PID 840 wrote to memory of 2464	840	rundll32.exe	28
PID 2464 wrote to memory of 1692	2464	rundll32.exe	29
PID 2464 wrote to memory of 1692	2464	rundll32.exe	29
PID 2464 wrote to memory of 1692	2464	rundll32.exe	29
PID 2464 wrote to memory of 1692	2464	rundll32.exe	29
PID 2464 wrote to memory of 2080	2464	rundll32.exe	30
PID 2464 wrote to memory of 2080	2464	rundll32.exe	30
PID 2464 wrote to memory of 2080	2464	rundll32.exe	30
PID 2464 wrote to memory of 2080	2464	rundll32.exe	30
PID 2464 wrote to memory of 2744	2464	rundll32.exe	31
PID 2464 wrote to memory of 2744	2464	rundll32.exe	31
PID 2464 wrote to memory of 2744	2464	rundll32.exe	31
PID 2464 wrote to memory of 2744	2464	rundll32.exe	31
PID 2464 wrote to memory of 2744	2464	rundll32.exe	31
PID 2464 wrote to memory of 2744	2464	rundll32.exe	31
PID 2464 wrote to memory of 2744	2464	rundll32.exe	31
PID 1692 wrote to memory of 2632	1692	cmd.exe	35
PID 1692 wrote to memory of 2632	1692	cmd.exe	35
PID 1692 wrote to memory of 2632	1692	cmd.exe	35
PID 1692 wrote to memory of 2632	1692	cmd.exe	35
PID 2080 wrote to memory of 2608	2080	cmd.exe	34
PID 2080 wrote to memory of 2608	2080	cmd.exe	34
PID 2080 wrote to memory of 2608	2080	cmd.exe	34
PID 2080 wrote to memory of 2608	2080	cmd.exe	34
PID 2464 wrote to memory of 2540	2464	rundll32.exe	36
PID 2464 wrote to memory of 2540	2464	rundll32.exe	36
PID 2464 wrote to memory of 2540	2464	rundll32.exe	36
PID 2464 wrote to memory of 2540	2464	rundll32.exe	36
PID 2464 wrote to memory of 2540	2464	rundll32.exe	36
PID 2464 wrote to memory of 2540	2464	rundll32.exe	36
PID 2464 wrote to memory of 2540	2464	rundll32.exe	36
PID 2632 wrote to memory of 2652	2632	net.exe	39
PID 2632 wrote to memory of 2652	2632	net.exe	39
PID 2632 wrote to memory of 2652	2632	net.exe	39
PID 2632 wrote to memory of 2652	2632	net.exe	39
PID 2608 wrote to memory of 2548	2608	net.exe	38
PID 2608 wrote to memory of 2548	2608	net.exe	38
PID 2608 wrote to memory of 2548	2608	net.exe	38
PID 2608 wrote to memory of 2548	2608	net.exe	38

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07a2323a683c85dca6ce24ecdc538daf_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\07a2323a683c85dca6ce24ecdc538daf_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop "AhnLab Task Scheduler"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\net.exe
      net stop "AhnLab Task Scheduler"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "AhnLab Task Scheduler"
        5⤵
        
        PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop MonSvcNT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\SysWOW64\net.exe
      net stop MonSvcNT
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MonSvcNT
        5⤵
        
        PID:2548
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\system32\bee.dll,start
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\uninstall.bat" "
    3⤵
    - Deletes itself
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uninstall.bat

Filesize
266B

MD5
9f2d6f4feb29c2b15b53fa198d998edc

SHA1
ba516429ade82dbdfac103b4081f11c060938561

SHA256
5e8eed071f2b42220ea872ebcb84d33a2e6feefb1676070d544b9cd93927a672

SHA512
f8a3058708cc7c5108a63b5842117ea434a521d78468d2cd28c1c39331c159d43719dddd0f4ed10c54d4608279b7170963cee7937de9b7baaa29f60dd1791bf4

Download Submit
C:\Windows\SysWOW64\bee.dll

Filesize
18KB

MD5
07a2323a683c85dca6ce24ecdc538daf

SHA1
4cb6dc5108a38ec17d3a0b2e43705efe8de1bcee

SHA256
8e1f30fb6f050f39576aa89ecef32669971d2d45b6e77fb22f59da72120656c5

SHA512
47511e641d84137debdef14213ab57c6bebb288e4db17232f15998f8d97391739edcaec0e2ee21a6a451f53cf2a2672488849e4a22cdd21456b056bf775df14a

Download Submit
memory/2464-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2464-19-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2744-10-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2744-21-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download