Overview

overview

8

Static

static

7

25b4f53e2b...18.dll

windows7-x64

8

25b4f53e2b...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    138s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25b4f53e2b441d18df560cebebc06be7_JaffaCakes118.dll

  • Size

    94KB

  • MD5

    25b4f53e2b441d18df560cebebc06be7

  • SHA1

    49a04e5975d4058b66305ccc372811eea8d356a1

  • SHA256

    ee48eb5538418a68b50db8cde4483110f156ed5f70ad714cc16bdd8c822e89eb

  • SHA512

    5bba3c38766fd63e644d2d0bd2ff489247df8e9482583730620241d56afccdd189a8ca98066d922e3ce5ee98ea6317bcd5d72a804eeb9209c5c5cc95364b0027

  • SSDEEP

    1536:mGky8V4yKGeRbxMnciZ+MoKYbEjMWZUrmWVRrdTfm9ZcjXeDJ7TBGoGC6oib9E:mLdVeROnci3obBaWXrd7mwbeD1/1zibW

Score
8/10
persistenceupx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\25b4f53e2b441d18df560cebebc06be7_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\25b4f53e2b441d18df560cebebc06be7_JaffaCakes118.dll
      2⤵
      • Drops file in Drivers directory
      • Server Software Component: Terminal Services DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:528
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k Autghorhization
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2140
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 536
      2⤵
      • Program crash
      PID:1268
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 556
      2⤵
      • Program crash
      PID:4748
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 548
      2⤵
      • Program crash
      PID:2180
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2140 -ip 2140
    1⤵
      PID:2860
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2140 -ip 2140
      1⤵
        PID:3712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2140 -ip 2140
        1⤵
          PID:4728

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\drivers\beep.sys
          Filesize

          2KB

          MD5

          f78ebe1c201e8464f31502539621391e

          SHA1

          57ca514fa6456bb618f82c152095e09231f3043d

          SHA256

          509aaae09ef45aff839a6a5533f725bb37e2fe1ced9aae86ddbafff4c7be7908

          SHA512

          6434fabba1b226108a8316e708e4d66a358777368c35da6212859611e8bc792adacd242cbfea843eb9d190f6b644155c6d9d85e7a3a91575fb5c7e2dff803ad8

          Download Submit

        • C:\Windows\SysWOW64\ljinvjMphrGArGM.dll
          Filesize

          94KB

          MD5

          25b4f53e2b441d18df560cebebc06be7

          SHA1

          49a04e5975d4058b66305ccc372811eea8d356a1

          SHA256

          ee48eb5538418a68b50db8cde4483110f156ed5f70ad714cc16bdd8c822e89eb

          SHA512

          5bba3c38766fd63e644d2d0bd2ff489247df8e9482583730620241d56afccdd189a8ca98066d922e3ce5ee98ea6317bcd5d72a804eeb9209c5c5cc95364b0027

          Download Submit

        • memory/528-0-0x0000000010000000-0x0000000010040000-memory.dmp

          Filesize

          256KB

          Download

        • memory/528-1-0x0000000000AB0000-0x0000000000AD7000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2140-8-0x0000000000FD0000-0x0000000000FF7000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2140-10-0x0000000010000000-0x0000000010040000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2140-12-0x0000000010000000-0x0000000010040000-memory.dmp

          Filesize

          256KB

          Download