d888dfeaa5eed4ffd2dcca4d4ff1914d3f3823c93ef889e115574ed3637a74e9

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a4037ca50b72cef1862fbe8fa9a2ab_JaffaCakes118.dll
Size

1.1MB
MD5

17a4037ca50b72cef1862fbe8fa9a2ab
SHA1

75306402c50c451ac5ed2fe64b9fea8db41c1736
SHA256

d888dfeaa5eed4ffd2dcca4d4ff1914d3f3823c93ef889e115574ed3637a74e9
SHA512

6ae07e0201496a98237aaad9ddd5904063b00386dd1f23218b0e3097b2d4f9e7093ed3db33ef5f6e23d6698282a048675218ed378b7e578375e8eeb752185a4e
SSDEEP

24576:SMpZ4OxwR1QcQq/W7ihb4bPWmBLXvPmVpTrdzjs00s:SuNZ7Ib8ZBL2/XT

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dticem\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\17a4037ca50b72cef1862fbe8fa9a2ab_JaffaCakes118.dll"	regsvr32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\4ef3d40a18.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\4ef3d40a18.dll	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4888	4352	regsvr32.exe	80
PID 4352 wrote to memory of 4888	4352	regsvr32.exe	80
PID 4352 wrote to memory of 4888	4352	regsvr32.exe	80

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\17a4037ca50b72cef1862fbe8fa9a2ab_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\17a4037ca50b72cef1862fbe8fa9a2ab_JaffaCakes118.dll
  2⤵
  - Server Software Component: Terminal Services DLL
  PID:4888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k dtcGep -s dticem
1⤵
- Drops file in System32 directory
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\4ef3d40a18.dll

Filesize
126B

MD5
5cac932b86434e7bb72e361af03622e3

SHA1
3f415716974f44b9848fcbb48409ae2917982793

SHA256
ceaafb53c1d859fe44bbd47d353371451d2014b267bb18b5f0d5f6f0bc1bf151

SHA512
2d4adb73a68b38837ea45ffe666342b9a6ddd9114e348ba905669f77040c0a8bbf50f471448d04320fd0a80247d80a072475616326c0015dffc96d06ebb9b527

Download Submit
C:\Windows\SysWOW64\4ef3d40a18.dll

Filesize
114B

MD5
a26735a2c9a88ce4df108b07697607be

SHA1
308820774e9250e9545bf87cef91cb7a92629967

SHA256
4a6af464348b784ba4d3bccb6ac2eefea31d97afe627d29abafe2c94389cfdec

SHA512
3a922a7f8e78f51f44f87e4a2e542723231881907f71bec46f4cd6811dd8c2e5772ba682cc52c564a20ccdd8df0919498bf4671bc7fc1b1bb614f4ef22787d98

Download Submit
memory/4408-0-0x0000000001400000-0x0000000001517000-memory.dmp

Filesize
1.1MB

Download
memory/4408-8-0x0000000001400000-0x0000000001517000-memory.dmp

Filesize
1.1MB

Download
memory/4408-22-0x0000000001400000-0x0000000001517000-memory.dmp

Filesize
1.1MB

Download
memory/4408-30-0x0000000001400000-0x0000000001517000-memory.dmp

Filesize
1.1MB

Download