56dfc5905e7dfc67912ed164dc68c0806fdd3d7cd151415aaffcc1b7ab2f1a84

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 07:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2530f54b87508e6f09a6bc5ab863b5db_JaffaCakes118.dll
Size

22KB
MD5

2530f54b87508e6f09a6bc5ab863b5db
SHA1

cd50170a70b9cc767aa4b21a150c136cb25fbd44
SHA256

56dfc5905e7dfc67912ed164dc68c0806fdd3d7cd151415aaffcc1b7ab2f1a84
SHA512

e4f092a9c6ebe1092fcdfbb6110aa4f7bfd6293741f6aebcf24d9d0eb5a469a80020b2292e93610b6f11da6a90f92e3bcb36aa4e822ae91160f6be8070357765
SSDEEP

384:UVHZSHCrxgSbbbdKjN7i39dMbSLo4AVe7KElflK:U5rm64N7CkbSJAIeE5lK

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2496	rundll32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\APPLIC~1\svcnetwork.bin	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2080	1912	rundll32.exe	28
PID 1912 wrote to memory of 2080	1912	rundll32.exe	28
PID 1912 wrote to memory of 2080	1912	rundll32.exe	28
PID 1912 wrote to memory of 2080	1912	rundll32.exe	28
PID 1912 wrote to memory of 2080	1912	rundll32.exe	28
PID 1912 wrote to memory of 2080	1912	rundll32.exe	28
PID 1912 wrote to memory of 2080	1912	rundll32.exe	28
PID 2080 wrote to memory of 2976	2080	rundll32.exe	29
PID 2080 wrote to memory of 2976	2080	rundll32.exe	29
PID 2080 wrote to memory of 2976	2080	rundll32.exe	29
PID 2080 wrote to memory of 2976	2080	rundll32.exe	29
PID 2976 wrote to memory of 2496	2976	cmd.exe	31
PID 2976 wrote to memory of 2496	2976	cmd.exe	31
PID 2976 wrote to memory of 2496	2976	cmd.exe	31
PID 2976 wrote to memory of 2496	2976	cmd.exe	31
PID 2976 wrote to memory of 2496	2976	cmd.exe	31
PID 2976 wrote to memory of 2496	2976	cmd.exe	31
PID 2976 wrote to memory of 2496	2976	cmd.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2530f54b87508e6f09a6bc5ab863b5db_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2530f54b87508e6f09a6bc5ab863b5db_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\bywu.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\PROGRA~3\APPLIC~1\svcnetwork.bin,NnvTlsp
      4⤵
      Loads dropped DLL
      PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\APPLIC~1\svcnetwork.bin

Filesize
22KB

MD5
019c92f116906cade62e10f1fef8ca50

SHA1
260264e1dacaa74c1052a41b64629577cefe21a4

SHA256
32882e9c7f9a599cb9b51deff59f80f5b1d055088780add1b44d4b71de7d912e

SHA512
6628b98445bbf0574b478caea8bd5735c57f0e9ad1dfab9dd031785cb6dbd8a6cc7e3518eefc386ba3d688191fe7e712c49e8821faa982243dfa7d84eb078148

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Support.lnk

Filesize
772B

MD5
b61474278a91ae6c0955df5082d3517f

SHA1
b5264edd796db15a4e95c66e26d611db820058ff

SHA256
4f0d04b3ce89f03078169473a1fe79ad5e0550363c2fae06993595b1c3c69810

SHA512
12b342f6c8ddc77b9af437dd911f8b31ee18f72298e92595d9c75dd72debae7197adb29323313862d57aee06bba1beb98a96886c6b4c220ede200326827433bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bywu.cmd

Filesize
83B

MD5
0b55dfbfe0c8725ad5feada65687a98f

SHA1
0e25585444a43ef60fcda4efb8dc87851998ff05

SHA256
07c1f6c784dc29d9b4cab5e3cc30ceae591c9a9f1f85dc45c9b06401c6457dc3

SHA512
8b82437734ed024f36cf0134e1d45e52d1406a1056d160add383a6a561d2fb7191a506c50b724734e8cca75f5d6845f818b2458f202df58046d282894fcb6590

Download Submit
memory/2080-0-0x0000000056A04000-0x0000000056A09000-memory.dmp

Filesize
20KB

Download
memory/2080-44-0x0000000056A00000-0x0000000056A09000-memory.dmp

Filesize
36KB

Download
memory/2080-46-0x0000000056A00000-0x0000000056A09000-memory.dmp

Filesize
36KB

Download
memory/2496-39-0x0000000056A00000-0x0000000056A09000-memory.dmp

Filesize
36KB

Download
memory/2496-43-0x0000000056A00000-0x0000000056A09000-memory.dmp

Filesize
36KB

Download
memory/2496-47-0x0000000056A00000-0x0000000056A09000-memory.dmp

Filesize
36KB

Download
memory/2496-49-0x0000000056A00000-0x0000000056A09000-memory.dmp

Filesize
36KB

Download
memory/2496-48-0x0000000056A00000-0x0000000056A09000-memory.dmp

Filesize
36KB

Download