8b85e0f484655ca94de106adeb9555c042e652893e8693f228f4f0be90d9d871

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
Size

70KB
MD5

2da4ebd905f6425b517cd39ebd5278d2
SHA1

f57d954b9b9c1152b10dfd245ffd69abd4f0ecd4
SHA256

8b85e0f484655ca94de106adeb9555c042e652893e8693f228f4f0be90d9d871
SHA512

19c9473057af3f68d6288fb96cd1424f7c21136f9e90e73438e9c73a6697f4742549d4320345389944500418b19c185a424c9e4fabd7d5d25537166ad7c74d9a
SSDEEP

1536:doquHm0GQTg/+Y6EEN4qfQ7cQpCHKPuX6iy400ck0KkUZAisAiU4iwu2+H++p7YU:5qgSpHQpYKQlp7YU

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rx = "C:\\Windows\\rundll32.exe"	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rydll.dll	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundll32.exe	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
File opened for modification	C:\Windows\rundll32.exe	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
4028	2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2da4ebd905f6425b517cd39ebd5278d2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rydll.dll

Filesize
41KB

MD5
5ab2e001a3c9aebea46e393a2248e677

SHA1
42b9f9df28b821cff949a1a917e4e8e2fbfdfed8

SHA256
b6dc69ba20651f3ea06d8e03272de39e17dcf957033ac8b7cc5a8fe1dc2ed5da

SHA512
509eef4d5b9b8160beb229bf53ab7853716141b01f452584aa59d30e6a8a5ff8182ccd2bad675279bea61f0596c31f9de5e3eaf9aba58d78992d9e6a6a7dc3d5

Download Submit
memory/4028-5-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/4028-8-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4028-9-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download