85d55aec02e52e5a5a8343b1c8e3dd2a35de65e350439578dcb21dd67ca59531

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aa1f6f32b3b555e882a25a8d2fc3de3_JaffaCakes118.dll
Size

15KB
MD5

1aa1f6f32b3b555e882a25a8d2fc3de3
SHA1

8b417db3a3110ffe88d282675c028c58d9b7de84
SHA256

85d55aec02e52e5a5a8343b1c8e3dd2a35de65e350439578dcb21dd67ca59531
SHA512

b0ed3c1c0c154a646edb022a50aeba39672b464e37f2f29ba9ba538daadf3e78d6a7797fa9dd73153218dce77ffdf7ba233660676f01b583e204e06daca8de13
SSDEEP

384:nl89HJ4c4AxBeWF5dssKOYu/W5+ZLobJ3yvf9nod:nl8L4AxJFQOYu/WIZ0l3mO

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msosdohs00.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msosdohs00.dll	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
340	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 340 wrote to memory of 1128	340	rundll32.exe	19
PID 340 wrote to memory of 1184	340	rundll32.exe	20
PID 340 wrote to memory of 1220	340	rundll32.exe	21
PID 340 wrote to memory of 1792	340	rundll32.exe	23
PID 340 wrote to memory of 2040	340	rundll32.exe	27

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa1f6f32b3b555e882a25a8d2fc3de3_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa1f6f32b3b555e882a25a8d2fc3de3_JaffaCakes118.dll,#1
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/340-19-0x000000001000F000-0x0000000010010000-memory.dmp

Filesize
4KB

Download
memory/340-18-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1128-2-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download