5939216313878c4162162155405c8829655b20c38c39fe751556911fb15f07b6

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

329125cb74987be402641dae0dac0468_JaffaCakes118.exe
Size

49KB
MD5

329125cb74987be402641dae0dac0468
SHA1

ecc0ad80be80f552d3db782727a07fedd2748dbc
SHA256

5939216313878c4162162155405c8829655b20c38c39fe751556911fb15f07b6
SHA512

584b9f4c366eee488d2bc3817e6948ec10c0fe1ea4137572fb9a3ad2b766710c7c4695de369fa50db7ecd065e73dbe50756eaffa3f6f96ec5c7f96346c61e385
SSDEEP

768:RM6vXHIn3W6z2SXibYPIKLiQZXVHjVRyYLv+OJxy8XBb2ffxUTQKwyIVOrpJ3:RMUonmaXi/EZX9yYLxvxksyYpJ3

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
12	3436	rundll32.exe
14	3436	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe
3436	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\fccdddBR.dll,#1"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rqRLcCuu.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\fccdddBR.dll	329125cb74987be402641dae0dac0468_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fccdddBR.dll	329125cb74987be402641dae0dac0468_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\fccdddBR.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe
4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 620	4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe	5
PID 4680 wrote to memory of 3436	4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe	84
PID 4680 wrote to memory of 3436	4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe	84
PID 4680 wrote to memory of 3436	4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe	84
PID 4680 wrote to memory of 3416	4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe	85
PID 4680 wrote to memory of 3416	4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe	85
PID 4680 wrote to memory of 3416	4680	329125cb74987be402641dae0dac0468_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2524	3436	rundll32.exe	87
PID 3436 wrote to memory of 2524	3436	rundll32.exe	87
PID 3436 wrote to memory of 2524	3436	rundll32.exe	87

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\329125cb74987be402641dae0dac0468_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\329125cb74987be402641dae0dac0468_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\fccdddBR.dll,a
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\rqRLcCuu.dll",s
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxyxXNda.bat "C:\Users\Admin\AppData\Local\Temp\329125cb74987be402641dae0dac0468_JaffaCakes118.exe"
  2⤵
  PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xxyxXNda.bat

Filesize
71B

MD5
52667c9ca6aa06b47f079883578de185

SHA1
ee5c5ac6aaf229d0091f310aa34f487f54b9f4e8

SHA256
eca0be39aca8aac76e43fd4a5fb3d4da7d212ce0628294f2e873bea6e39122d3

SHA512
c393bbe7e699fe8b1dd4171a742c61242a8d3aee100bbcd9a4cad4fb7a5677bcc8ad20880d87c4d6bbfc7e8046e6d4b54a5a582d903c21369b2efb50326f92a2

Download Submit
C:\Windows\SysWOW64\fccdddBR.dll

Filesize
36KB

MD5
2bfecb1bbb48dfc6de080b4221e77c50

SHA1
9ed1940b86eb205934f76d78826e7d6ba948b3e8

SHA256
6fab590506d524da205eccb59f44bdfeba07f12d051eac1c9876ecc524b43106

SHA512
a24acdbdd9cda1912e7b1ceba6b78603cffbc16c3e2d1dd54b6dc0da99b1263617e006ba86799beadcbefd65b0cfd41218322b5184269a566e7bab5311f83685

Download Submit
C:\Windows\SysWOW64\rqRLcCuu.dll

Filesize
1KB

MD5
3c7feb8a01f4335cb4d0e6c25a31f2cf

SHA1
0ee2d8d32130a70e3ac1ddc26156b2d5e8f390e3

SHA256
02d6edf0cf3bca3be07d7c7ac1fd052add5a422dd0d22ab3a0eead550b985bb3

SHA512
907679f48adcaa26de209184c904842594950c104a29a98833e4691939a2623c26a19a038b7e1ed98806088f08c2e7522285485038c661f5a18fc3c2a3713d31

Download Submit
memory/3436-17-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3436-18-0x00000000011E0000-0x00000000011E5000-memory.dmp

Filesize
20KB

Download
memory/3436-19-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3436-29-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3436-30-0x00000000011E0000-0x00000000011E5000-memory.dmp

Filesize
20KB

Download
memory/4680-8-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4680-10-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4680-11-0x0000000000580000-0x0000000000585000-memory.dmp

Filesize
20KB

Download
memory/4680-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4680-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4680-1-0x0000000000580000-0x0000000000585000-memory.dmp

Filesize
20KB

Download