1a9cb3e53e1b39ad42ad957bc8634d4b56be39d39b48f833604090efcadd47f7

Analysis

max time kernel
140s
max time network
132s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 00:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a67c03ba236b8c56708841b99371e1b_JaffaCakes118.dll
Size

543KB
MD5

2a67c03ba236b8c56708841b99371e1b
SHA1

0cc582c59ead4acfd14e43bb9be4b12679df6ad6
SHA256

1a9cb3e53e1b39ad42ad957bc8634d4b56be39d39b48f833604090efcadd47f7
SHA512

5c6c9b671a8f7a44c69d1c4f1a54fbcaaaa937ecae0216eecbd5827f0eea5a994bab0e435f537927500d4bd5ca10c86e98d0819533307687d36816830ec93ccb
SSDEEP

12288:YbWhPjynZqbGz6TnGYI/8F+KVlFIHoguBfx45Z0EQ2jUGo6Ja8L:YbWFUH+TRI/8UYyZ045Z0j2jWwL

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2280	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\725a02eb96.dl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\725a02eb96.dl	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2280	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2280	2916	rundll32.exe	28
PID 2916 wrote to memory of 2280	2916	rundll32.exe	28
PID 2916 wrote to memory of 2280	2916	rundll32.exe	28
PID 2916 wrote to memory of 2280	2916	rundll32.exe	28
PID 2916 wrote to memory of 2280	2916	rundll32.exe	28
PID 2916 wrote to memory of 2280	2916	rundll32.exe	28
PID 2916 wrote to memory of 2280	2916	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a67c03ba236b8c56708841b99371e1b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a67c03ba236b8c56708841b99371e1b_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\725a02eb96.dl

Filesize
34B

MD5
12b4a7e294b4d45dbfc447731b40bc99

SHA1
9e80b27b8491f9da8edc531ef9977bd052a1e2b2

SHA256
5ed3732604f89d3c751ecc04d4e8aa700a89c7fff70f7258181df84406f2043c

SHA512
178fd7c11792cc9c04c68d9cf664c5ef31a2c984dcd114175d2da754364fb54ae34d14fa117c3e74f02ac79a30b1deee70dfebf25a93a460204442555294344a

Download Submit
memory/2280-0-0x0000000002170000-0x00000000022DF000-memory.dmp

Filesize
1.4MB

Download
memory/2280-21-0x0000000002170000-0x00000000022DF000-memory.dmp

Filesize
1.4MB

Download
memory/2280-22-0x0000000002170000-0x00000000022DF000-memory.dmp

Filesize
1.4MB

Download