c2fa762ec8e7d274fa65fa28209cdb6bbb16191801df5691e5c390d89d6c0550

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33e4814966c120bf2aa57e18f5c3bb3c_JaffaCakes118.dll
Size

108KB
MD5

33e4814966c120bf2aa57e18f5c3bb3c
SHA1

7bcf0dc6df027cb631cd0b42ca4995d3ad02b7a2
SHA256

c2fa762ec8e7d274fa65fa28209cdb6bbb16191801df5691e5c390d89d6c0550
SHA512

3e3911acb27b30ee0fe05194e07a0bef3b1eb5ba61584d9f720c60753fe374e90d8d1a2e405c41fce05a3b0d898cad2a6c476a156804ede178268f4500eb3cb0
SSDEEP

1536:31d7ZKo1aV+78bBbpt/ppkhc6dcMnyfha0/My1OaIHM/CKJhOI:Fd7ZJ11SQc6dXnEha0Ey1OaIHM/CKJhH

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hidserv\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\HidServ\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\helpsvc.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2872	2860	rundll32.exe	30
PID 2860 wrote to memory of 2872	2860	rundll32.exe	30
PID 2860 wrote to memory of 2872	2860	rundll32.exe	30
PID 2860 wrote to memory of 2872	2860	rundll32.exe	30
PID 2860 wrote to memory of 2872	2860	rundll32.exe	30
PID 2860 wrote to memory of 2872	2860	rundll32.exe	30
PID 2860 wrote to memory of 2872	2860	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\33e4814966c120bf2aa57e18f5c3bb3c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\33e4814966c120bf2aa57e18f5c3bb3c_JaffaCakes118.dll,#1
  2⤵
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads