Overview

overview

8

Static

static

3

2de2c66acc...18.exe

windows7-x64

3

2de2c66acc...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240708-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 21:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2de2c66acc290d38bf21baef62d9d9c2_JaffaCakes118.exe

  • Size

    45KB

  • MD5

    2de2c66acc290d38bf21baef62d9d9c2

  • SHA1

    e7abd919485ce2502430169f32df8af82255f078

  • SHA256

    35d0e3f30421d583cff55f776adf4eb41af622c5adc1ba89304f39ab27e91bc6

  • SHA512

    0d12ecd395d29a7d7c52f91fe56c94b9bd0ee978057e5e15559732c2531fdffc54bad07c63522747acc419ad161f11c861545c5ac18dc399d12b45c42f6b7f73

  • SSDEEP

    768:dfNmvp7L7cTovlBUZWwXKeQLNcdwivyucXgQxfA:dFM7nc4BUZJ6b5cSiv70xfA

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:604
    • C:\Users\Admin\AppData\Local\Temp\2de2c66acc290d38bf21baef62d9d9c2_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2de2c66acc290d38bf21baef62d9d9c2_JaffaCakes118.exe"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Windows\system32\mlJDvTNg.dll,a
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3592
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\system32\vtUlIccy.dll",s
          3⤵
            PID:1184
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awtqoNFV.bat "C:\Users\Admin\AppData\Local\Temp\2de2c66acc290d38bf21baef62d9d9c2_JaffaCakes118.exe"
          2⤵
            PID:1672

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\awtqoNFV.bat
                Filesize

                71B

                MD5

                b8c7f238e4c3e4999227217a1e1d8fbc

                SHA1

                c0934147f743641c5c1f8719092874a3da880b45

                SHA256

                2eecc9f651cc215261d29cb56e7728ef28cbf5304eecee94b666aced81a59153

                SHA512

                d31c5d5a315b34eab9d36c31ee312adafc830c4e32e9e163747961454776bb62394d69a1a56785b42866bb5fc260c3e1442b3f75f9903a1c229613bae78409da

                Download Submit

              • C:\Windows\SysWOW64\mlJDvTNg.dll
                Filesize

                32KB

                MD5

                c24d87fea324d1203e848391fac641a8

                SHA1

                a0e336e04605d135d4b715f0d705a6a4569e21f7

                SHA256

                db47c70eb23c4bb68507e9bc7521f7cee13c9a320e8fcc2c5084cb2203f6ccc9

                SHA512

                93e7bdd198c3234896dc28e42e00281722741e0f943c2f3dd611edd065b8d8d8861bd5754600b866d4353cbda36f2c2e21514e5f02a4cf24d5e19ddaddf4533d

                Download Submit

              • C:\Windows\SysWOW64\vtUlIccy.dll
                Filesize

                1KB

                MD5

                5b31337872fa493bdfc80ba4bb709f9c

                SHA1

                132690268d77c8a24e2d5da455f9584df947d26c

                SHA256

                432015050f33e6c2882f4cd8a774a6a5d8a60fb5faf19a4f6546cb042601316d

                SHA512

                fc208a5b878f1e0f8e75338a7ff6222cdf7a2a8322aadfe43d64c383408f768d87752a121b0645d88cc1114d7521300773a5538043b72d23730b4a3ddf08b43f

                Download Submit

              • memory/1948-0-0x0000000000400000-0x000000000040F000-memory.dmp

                Filesize

                60KB

                Download

              • memory/1948-1-0x0000000002150000-0x0000000002155000-memory.dmp

                Filesize

                20KB

                Download

              • memory/1948-2-0x0000000000400000-0x000000000040F000-memory.dmp

                Filesize

                60KB

                Download

              • memory/1948-8-0x0000000010000000-0x0000000010012000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1948-10-0x0000000010000000-0x0000000010012000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1948-11-0x0000000002150000-0x0000000002155000-memory.dmp

                Filesize

                20KB

                Download

              • memory/3592-18-0x0000000000E00000-0x0000000000E05000-memory.dmp

                Filesize

                20KB

                Download

              • memory/3592-17-0x0000000010000000-0x0000000010012000-memory.dmp

                Filesize

                72KB

                Download

              • memory/3592-28-0x0000000010000000-0x0000000010012000-memory.dmp

                Filesize

                72KB

                Download