e55786ba1d50daaf614158817a1324a84b11c196b8ac81d204ee699b98b25352

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a6eec153fa70b5aec05306d4f688d24_JaffaCakes118.dll
Size

1.1MB
MD5

0a6eec153fa70b5aec05306d4f688d24
SHA1

71fc9e848671e5b313f4dfb7fec5f142a2e69808
SHA256

e55786ba1d50daaf614158817a1324a84b11c196b8ac81d204ee699b98b25352
SHA512

10a3854742905deec2112816a7c5df1098825107d77d985659b878f83b5a66de7e824094f51aa6b0be50dbd255f22ddd34c89221272a6cf87989c5b81e7307ae
SSDEEP

24576:oTneb46N97ATlDGxJBBuFIYrjbTWWgZ0JOZCVv0CnUoR+82dzqz4K2mXt7SRATjl:t3N97ATlDGxJBBuFIYrjbTWWgZ0JOZCH

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dticem\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0a6eec153fa70b5aec05306d4f688d24_JaffaCakes118.dll"	rundll32.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000700000001211c-4.dat	aspack_v212_v242

Loads dropped DLL 1 IoCs

pid	Process
1664	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sebay\9a899fccf1.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Sebay\9a899fccf1.dll	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1664	2480	rundll32.exe	28
PID 2480 wrote to memory of 1664	2480	rundll32.exe	28
PID 2480 wrote to memory of 1664	2480	rundll32.exe	28
PID 2480 wrote to memory of 1664	2480	rundll32.exe	28
PID 2480 wrote to memory of 1664	2480	rundll32.exe	28
PID 2480 wrote to memory of 1664	2480	rundll32.exe	28
PID 2480 wrote to memory of 1664	2480	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a6eec153fa70b5aec05306d4f688d24_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a6eec153fa70b5aec05306d4f688d24_JaffaCakes118.dll,#1
  2⤵
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  PID:1664

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k dtcGep
1⤵
- Drops file in System32 directory
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sebay\9a899fccf1.dll

Filesize
113B

MD5
6d92aee8a3f9e3460887e0f717510b69

SHA1
36db097ee75f2675c5c1ec26b6be6b23345bc00b

SHA256
923b11691ed472256bdb0da1adb73ccf9bc4616ac38f57351e7c4dcf6b8cd2d6

SHA512
cefaf43c6a017b62c3c4477a8b7b7dc7e21f096408a777be225c52ece0afd0f9e79921a4f760cf289b0b3b54c0389cfaa6cdb5d8f458ef3ac112342788ffdd21

Download Submit
\Users\Admin\AppData\Local\Temp\0a6eec153fa70b5aec05306d4f688d24_JaffaCakes118v.dl

Filesize
49KB

MD5
73c60b28c202e2aeb94ab8a06ace02ca

SHA1
df10fd2679728f9bda83b888c7d472e2d2cc61bb

SHA256
8c90a037e236c7c294f95aa6d809bc599ff6b177498d49b055d39e3c76de7b4a

SHA512
71714bdc12739f92c537be80560d9e8f44555c0ebe3587acaf4c7ce61e2b79458c523469bf4fdffa80a13781c1081048981db0824d305773794bad06e6d71824

Download Submit
memory/1664-0-0x0000000000370000-0x000000000048A000-memory.dmp

Filesize
1.1MB

Download
memory/2236-7-0x00000000024C0000-0x00000000025DA000-memory.dmp

Filesize
1.1MB

Download
memory/2236-15-0x00000000024C0000-0x00000000025DA000-memory.dmp

Filesize
1.1MB

Download
memory/2236-29-0x00000000024C0000-0x00000000025DA000-memory.dmp

Filesize
1.1MB

Download
memory/2236-30-0x00000000024C0000-0x00000000025DA000-memory.dmp

Filesize
1.1MB

Download