983cf0a0c21ac5dc9a6f718a9cf349b3dbe39535ad163105d43d29d951bbd8ee

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 12:05

Target

0e00c13c7a43211e5fabf7c2a223f7ae_JaffaCakes118.dll
Size

20KB
MD5

0e00c13c7a43211e5fabf7c2a223f7ae
SHA1

7edb05bf4c935258a5d054d31b8f9ae71d3c6c0d
SHA256

983cf0a0c21ac5dc9a6f718a9cf349b3dbe39535ad163105d43d29d951bbd8ee
SHA512

c5a61549ca342bc98036755e7fdba7da81053d3ba9bdb427e09fd283cb2fd8878f5776e9b8302f938a522eb8c25d889c897b4360f4ed38beaf6193c1166903e0
SSDEEP

24:eH1GStnfJCAbpPZYtaBNUlpcgrp/teV2EQLqoVwFbQjFcQES0C:ytnhCuZoOUl3r9ksFMb6yrS

Score

8^/10

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start = "c:\\huijing.exe"	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2256	1276	rundll32.exe	28
PID 1276 wrote to memory of 2256	1276	rundll32.exe	28
PID 1276 wrote to memory of 2256	1276	rundll32.exe	28
PID 1276 wrote to memory of 2256	1276	rundll32.exe	28
PID 1276 wrote to memory of 2256	1276	rundll32.exe	28
PID 1276 wrote to memory of 2256	1276	rundll32.exe	28
PID 1276 wrote to memory of 2256	1276	rundll32.exe	28
PID 2256 wrote to memory of 1252	2256	rundll32.exe	29
PID 2256 wrote to memory of 1252	2256	rundll32.exe	29
PID 2256 wrote to memory of 1252	2256	rundll32.exe	29
PID 2256 wrote to memory of 1252	2256	rundll32.exe	29
PID 2256 wrote to memory of 1252	2256	rundll32.exe	29
PID 2256 wrote to memory of 1252	2256	rundll32.exe	29
PID 2256 wrote to memory of 1252	2256	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e00c13c7a43211e5fabf7c2a223f7ae_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e00c13c7a43211e5fabf7c2a223f7ae_JaffaCakes118.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2256
- - \??\c:\windows\SysWOW64\rundll32.exe
    c:\windows\system32\rundll32.exe huijing2.dll huijing2.dll
    3⤵
    PID:1252