89a81578acb8698abff67270bd4841363b56f9758086402fef8e3281f319b51e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 00:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

32aca795f01ec9ef592a5c73403fb3c7_JaffaCakes118.dll
Size

1.1MB
MD5

32aca795f01ec9ef592a5c73403fb3c7
SHA1

d34a001a599d9d98b77f2b7a593ba903932d4c86
SHA256

89a81578acb8698abff67270bd4841363b56f9758086402fef8e3281f319b51e
SHA512

6ce7ab64bf85cb19ee92516a08052b5b31144130756953dd34e9dabf3f48637590cdf9b547d4502252da7520cb7edb87789a38b43056e54e51e6c72dae070494
SSDEEP

24576:SMpZ4OxwR1QcQq/W7ihb4bPWmBLXvPmVpTrdzjs00m:SuNZ7Ib8ZBL2/XB

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dticem\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\32aca795f01ec9ef592a5c73403fb3c7_JaffaCakes118.dll"	regsvr32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\4229550014.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\4229550014.dll	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2204	1008	regsvr32.exe	81
PID 1008 wrote to memory of 2204	1008	regsvr32.exe	81
PID 1008 wrote to memory of 2204	1008	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\32aca795f01ec9ef592a5c73403fb3c7_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\32aca795f01ec9ef592a5c73403fb3c7_JaffaCakes118.dll
  2⤵
  - Server Software Component: Terminal Services DLL
  PID:2204

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k dtcGep -s dticem
1⤵
- Drops file in System32 directory
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\4229550014.dll

Filesize
135B

MD5
e82fd270618a0cb25a0abca67c33cdf0

SHA1
f5539bd3acafc88e1a268ec0bebc1ccacd38a1a0

SHA256
fbac6bfe4539d862607db2fa68bc413d11a1c110d7cecd39dc86f4933978482b

SHA512
ee7242819eefc8d9c40176fd8b70b8940475532f527129affae81846c0431c9e712c4c1edd8623c31b47affde1758ffcc60d99eedb9f0da8328f587f645e1189

Download Submit
C:\Windows\SysWOW64\4229550014.dll

Filesize
114B

MD5
56f54da7a3d4f466167ae7a578e019bb

SHA1
25dec2ca9165b0a95579975e4f7c6e956fc174df

SHA256
72469182906547bb5b9b05e7ecabee8729589296353b6d7be1314fa8f9f272b3

SHA512
32f2add6c5fd55ec0ded7fb9a4b6ab81fb0ae730c38b752385372a968793c58f02d628002482bd30c8115ee055bfb62b08cd7aaf4fd54cbaaa71cd89c0b60820

Download Submit
memory/4024-7-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4024-21-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download