e55786ba1d50daaf614158817a1324a84b11c196b8ac81d204ee699b98b25352

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a6eec153fa70b5aec05306d4f688d24_JaffaCakes118.dll
Size

1.1MB
MD5

0a6eec153fa70b5aec05306d4f688d24
SHA1

71fc9e848671e5b313f4dfb7fec5f142a2e69808
SHA256

e55786ba1d50daaf614158817a1324a84b11c196b8ac81d204ee699b98b25352
SHA512

10a3854742905deec2112816a7c5df1098825107d77d985659b878f83b5a66de7e824094f51aa6b0be50dbd255f22ddd34c89221272a6cf87989c5b81e7307ae
SSDEEP

24576:oTneb46N97ATlDGxJBBuFIYrjbTWWgZ0JOZCVv0CnUoR+82dzqz4K2mXt7SRATjl:t3N97ATlDGxJBBuFIYrjbTWWgZ0JOZCH

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dticem\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0a6eec153fa70b5aec05306d4f688d24_JaffaCakes118.dll"	rundll32.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000800000002349b-7.dat	aspack_v212_v242

Loads dropped DLL 2 IoCs

pid	Process
5004	rundll32.exe
5004	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sebay\42e939b471.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Sebay\42e939b471.dll	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 5004	3620	rundll32.exe	87
PID 3620 wrote to memory of 5004	3620	rundll32.exe	87
PID 3620 wrote to memory of 5004	3620	rundll32.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a6eec153fa70b5aec05306d4f688d24_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a6eec153fa70b5aec05306d4f688d24_JaffaCakes118.dll,#1
  2⤵
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  PID:5004

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k dtcGep -s dticem
1⤵
- Drops file in System32 directory
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0a6eec153fa70b5aec05306d4f688d24_JaffaCakes118v.dl

Filesize
49KB

MD5
73c60b28c202e2aeb94ab8a06ace02ca

SHA1
df10fd2679728f9bda83b888c7d472e2d2cc61bb

SHA256
8c90a037e236c7c294f95aa6d809bc599ff6b177498d49b055d39e3c76de7b4a

SHA512
71714bdc12739f92c537be80560d9e8f44555c0ebe3587acaf4c7ce61e2b79458c523469bf4fdffa80a13781c1081048981db0824d305773794bad06e6d71824

Download Submit
C:\Windows\SysWOW64\Sebay\42e939b471.dll

Filesize
113B

MD5
82a793c946fdbcbeaa101746d8fe8b2f

SHA1
6537636299a5a652f3f8b0d0aa049f4d9933921f

SHA256
0e8d3c95d85998b1c1b17b4146133f316d1b748e88535772090dc9e4a9223497

SHA512
800f609c05003f6b1002d78d563c5eb5ed474b18595071d1ac6f3eb8c7d70475c9a4996af01e1497af4826b01e4e476169ef44232f434dcef2705799654cff7a

Download Submit
memory/3976-16-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/3976-30-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download