016542b807a13a3f0b780f29e13b45920dae3459e8cdcf858bfc95dce60815a4

Analysis

max time kernel
95s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a95d5585ab1491c13310c39e4822a2a_JaffaCakes118.dll
Size

13KB
MD5

3a95d5585ab1491c13310c39e4822a2a
SHA1

167fd5e304e39b4e9d9c1a6132a25d5a9975b8d3
SHA256

016542b807a13a3f0b780f29e13b45920dae3459e8cdcf858bfc95dce60815a4
SHA512

dba7be6e333b4fc5fba9d1b50928a949f351fbcfaf2dd9bcabb9c3a0631d4aade52d5834e88c54a9d40bd2435a73878c014d79b89dc80d9e74546b7e5469b2e8
SSDEEP

384:BC9AeSUGMe0pS5wUw79jLzmKAiLaEUIy6Np77zpHwWWt:BadGCpQd2lGkUgzNw1

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msosmhfp00.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msosmhfp00.dll	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1536	376	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	376	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 376	556	rundll32.exe	83
PID 556 wrote to memory of 376	556	rundll32.exe	83
PID 556 wrote to memory of 376	556	rundll32.exe	83
PID 376 wrote to memory of 616	376	rundll32.exe	5
PID 376 wrote to memory of 672	376	rundll32.exe	7
PID 376 wrote to memory of 788	376	rundll32.exe	8
PID 376 wrote to memory of 796	376	rundll32.exe	9
PID 376 wrote to memory of 808	376	rundll32.exe	10
PID 376 wrote to memory of 908	376	rundll32.exe	11
PID 376 wrote to memory of 960	376	rundll32.exe	12
PID 376 wrote to memory of 60	376	rundll32.exe	13
PID 376 wrote to memory of 512	376	rundll32.exe	14
PID 376 wrote to memory of 872	376	rundll32.exe	15
PID 376 wrote to memory of 1072	376	rundll32.exe	16
PID 376 wrote to memory of 1080	376	rundll32.exe	17
PID 376 wrote to memory of 1088	376	rundll32.exe	18
PID 376 wrote to memory of 1112	376	rundll32.exe	19
PID 376 wrote to memory of 1156	376	rundll32.exe	20
PID 376 wrote to memory of 1264	376	rundll32.exe	21
PID 376 wrote to memory of 1280	376	rundll32.exe	22
PID 376 wrote to memory of 1404	376	rundll32.exe	23
PID 376 wrote to memory of 1412	376	rundll32.exe	24
PID 376 wrote to memory of 1420	376	rundll32.exe	25
PID 376 wrote to memory of 1476	376	rundll32.exe	26
PID 376 wrote to memory of 1496	376	rundll32.exe	27
PID 376 wrote to memory of 1652	376	rundll32.exe	28
PID 376 wrote to memory of 1688	376	rundll32.exe	29
PID 376 wrote to memory of 1696	376	rundll32.exe	30
PID 376 wrote to memory of 1792	376	rundll32.exe	31
PID 376 wrote to memory of 1804	376	rundll32.exe	32
PID 376 wrote to memory of 1900	376	rundll32.exe	33
PID 376 wrote to memory of 1908	376	rundll32.exe	34
PID 376 wrote to memory of 1980	376	rundll32.exe	35
PID 376 wrote to memory of 1988	376	rundll32.exe	36
PID 376 wrote to memory of 1860	376	rundll32.exe	37
PID 376 wrote to memory of 2060	376	rundll32.exe	38
PID 376 wrote to memory of 2136	376	rundll32.exe	39
PID 376 wrote to memory of 2188	376	rundll32.exe	40
PID 376 wrote to memory of 2368	376	rundll32.exe	41
PID 376 wrote to memory of 2376	376	rundll32.exe	42
PID 376 wrote to memory of 2396	376	rundll32.exe	43
PID 376 wrote to memory of 2560	376	rundll32.exe	44
PID 376 wrote to memory of 2648	376	rundll32.exe	45
PID 376 wrote to memory of 2660	376	rundll32.exe	46
PID 376 wrote to memory of 2684	376	rundll32.exe	47
PID 376 wrote to memory of 2692	376	rundll32.exe	48
PID 376 wrote to memory of 2948	376	rundll32.exe	49
PID 376 wrote to memory of 2988	376	rundll32.exe	50
PID 376 wrote to memory of 2996	376	rundll32.exe	51
PID 376 wrote to memory of 684	376	rundll32.exe	52
PID 376 wrote to memory of 3176	376	rundll32.exe	53
PID 376 wrote to memory of 3300	376	rundll32.exe	54
PID 376 wrote to memory of 3432	376	rundll32.exe	56
PID 376 wrote to memory of 3552	376	rundll32.exe	57
PID 376 wrote to memory of 3736	376	rundll32.exe	58
PID 376 wrote to memory of 3832	376	rundll32.exe	59
PID 376 wrote to memory of 3896	376	rundll32.exe	60
PID 376 wrote to memory of 3984	376	rundll32.exe	61
PID 376 wrote to memory of 3680	376	rundll32.exe	62
PID 376 wrote to memory of 380	376	rundll32.exe	65
PID 376 wrote to memory of 4856	376	rundll32.exe	66
PID 376 wrote to memory of 2116	376	rundll32.exe	68
PID 376 wrote to memory of 2720	376	rundll32.exe	69
PID 376 wrote to memory of 1872	376	rundll32.exe	70

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:796
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:808
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2988
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3736
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3832
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3896
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3984
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3680
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1464
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4844
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:3268
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2304
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:2764
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2752
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:3908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:684
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1404
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2560

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a95d5585ab1491c13310c39e4822a2a_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a95d5585ab1491c13310c39e4822a2a_JaffaCakes118.dll,#1
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 592
      4⤵
      Program crash
      PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2720

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 376 -ip 376
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/376-0-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/376-78-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/616-3-0x00000000261B0000-0x00000000261B1000-memory.dmp

Filesize
4KB

Download
memory/1860-35-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download