81e5e73452aa8b14f6c6371af2dccab720a32fadfc032b3c8d96f9cdaab9e9df

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1fe2e5b3b8aac8f86d7363b92c71e0_JaffaCakes118.dll
Size

130KB
MD5

3f1fe2e5b3b8aac8f86d7363b92c71e0
SHA1

bb59cc5e0040ede227332e7da1942264cd75ec4c
SHA256

81e5e73452aa8b14f6c6371af2dccab720a32fadfc032b3c8d96f9cdaab9e9df
SHA512

b18f45710bf980cca78ea615b0de4bde0ac7db14a381b1c1b4a14d806ee2900f9251ae94422cd5ac6adcc5ee634f52069e4ae8391862fd7af198b135af7ef703
SSDEEP

1536:M6MgGPhCuagPE2zN6tBwUlEX25KuBC8WHIjFsNAaNYvZuTVMGMqxfUMu84QFzWDQ:MwWhCuLPfIMC71ghxcDEenVaxatsFVh

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\system32\\rundll32.exe \"c:\\users\\admin\\appdata\\roaming\\sydmain.dll\",AGTwLoad"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\prv = "䅁湔䑫䑈佬挫楏㘯煺噕慯㉁晄呢䥹偯礸⬱㕑硍晌浩敺䙑䩧歶洯䡤橄桧汆瀵渲呡浭礹䤶允䨲灚䙔坨圱煖㙃㡡楳啰㈶佺㐹睙煷呴浨〫楣汴偦临䕹㝭挹儹歯匰眴㥇㠫⼷䘹䱐婢㥇と乄呂坪煄潹兹㙐祈爷琰⽹睮䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁允䉁䍰䡰堯吶乏偄祶么㝓朶䡆汊丸噍楦䭖噴㈸儹䅄婢㥅伯浃偰癶䍑䝌䑪丶䵨䭉煭㠴义兺楈但匰㡶伳䅌㠱捰㠱䥯䑦瑂祫湂剚慯牉㍷琫獮睌䕰奴瑒㍊硡㑅呬娸婂娶ふ偅橘偱煫硢ㅈ煒㑆橰硂刱ㅪ䬵⽹ㅨ⭊睃え瑆畭剧灇䌯卉兩癄㍂䑫䙒灪㈴び佸捹㡥桪卭䡎⬵㉅䵐挳煘歃剮䥤㙦䑚佒愲䵬摤味桊噐匰样⭬乌䉢琸敺橴㙚剺婳㑌丶捇㉪㙰晢ㅑ䵪杲偷䥗刱湵甸湩夯湪祔灈捥態㍩坁䙇潈匸㕒䩤䙫䡰ぢ刷眱汭婍佱祘煖っ慦剰䡩㝥塭牯䉳䑔䈲瀹穣穳乖浫匫杕祋䴹䭏攫啺啥え㉨〹単剎攳汹樳㔴䌳礲敧䍓奁牨祕卅潑兇䙧㜵䑋び瀴⽓創㌫摙眱ㅲ啤偋偦砷䭫呚汴摲硱婓⭑瑘奌倵橨卹煄㉔㌳獗呖㉬䰶〱㥴偲灙渷㥅䜷摯㡺塄㡮晈獃剱奶摷晷佲㍄灣湁䱂甲朶⽕㕇癃㑷儷楹䙃㘹䵩偍坵煖㔲砯橌娹⭣坡瑍㥓樫䭖湸湬摶硡光㴽"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\pubm = "䅁瑓桶坕摒䍕穢樲䝘㈵䝸伶杘䡴䝸儹⽤正䩎琲䡑䅚硦䥄䠯氳硭㉹塊䱉牧⽩灨て慴橖扁獦桯捍愫湂慤歙慑㌷⽫偗癘㡩䙬䍆䭢䉂噇橦砷㑯浃䕩㕃汢䍚䑈瑎㙅潰敎䙕摋捤塘䅑䝥睏癣浑䡖硓湑甫䥈⭓煖瑥䕹兡䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁允䉁"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\p2 = "ԪՠիբլիՠԪըժահթՠնԪնշզԫյխյ"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\ID = "BDB6E-640-2460EXE"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\n1 = "էհռձխՠյլթթԫիՠձ"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\n3 = "ըՠայհիծձԫէլտ"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\s0 = 15150505ae1405055f05050546053f0559055005760560057705760559054405610568056c056b0559054405750575054105640571056405590549056a056605640569055905510560056805750559057b057105680543053d05320537052b05710568057505	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\n2 = "նլզժԫհՠհժԫզժը"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\p3 = "ԪլիզթհաՠնԪզժշՠԪնժհշզՠԫյխյ"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\p1 = "ԪզդշձԪզխՠզծժհձԪնՠձԪնլասԫյխյ"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\pub = "䅁湔䑫䑈佬挫楏㘯煺噕慯㉁晄呢䥹偯礸⬱㕑硍晌浩敺䙑䩧歶洯䡤橄桧汆瀵渲呡浭礹䤶允䨲灚䙔坨圱煖㙃㡡楳啰㈶佺㐹睙煷呴浨〫楣汴偦临䕹㝭挹儹歯匰眴㥇㠫⼷䘹䱐婢㥇と乄呂坪煄潹兹㙐祈爷琰⽹睮䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁䅁允䉁"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\n0 = "Բդախդշդձԫզժը"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry\SNLD\p0 = "ԪգժշհըԪլիզթհաՠնԪնՠդշզխԪթժբ՚նՠդշզխԫյխյ"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2460	1512	rundll32.exe	30
PID 1512 wrote to memory of 2460	1512	rundll32.exe	30
PID 1512 wrote to memory of 2460	1512	rundll32.exe	30
PID 1512 wrote to memory of 2460	1512	rundll32.exe	30
PID 1512 wrote to memory of 2460	1512	rundll32.exe	30
PID 1512 wrote to memory of 2460	1512	rundll32.exe	30
PID 1512 wrote to memory of 2460	1512	rundll32.exe	30
PID 2460 wrote to memory of 2476	2460	rundll32.exe	31
PID 2460 wrote to memory of 2476	2460	rundll32.exe	31
PID 2460 wrote to memory of 2476	2460	rundll32.exe	31
PID 2460 wrote to memory of 2476	2460	rundll32.exe	31
PID 2460 wrote to memory of 2476	2460	rundll32.exe	31
PID 2460 wrote to memory of 2476	2460	rundll32.exe	31
PID 2460 wrote to memory of 2476	2460	rundll32.exe	31
PID 2460 wrote to memory of 1196	2460	rundll32.exe	21
PID 2476 wrote to memory of 1196	2476	rundll32.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3f1fe2e5b3b8aac8f86d7363b92c71e0_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3f1fe2e5b3b8aac8f86d7363b92c71e0_JaffaCakes118.dll,#1
    3⤵
    - Adds Run key to start application
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe "c:\users\admin\appdata\roaming\sydmain.dll",AGTwRec
      4⤵
      Checks computer location settings
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\sydmain.dll

Filesize
130KB

MD5
3f1fe2e5b3b8aac8f86d7363b92c71e0

SHA1
bb59cc5e0040ede227332e7da1942264cd75ec4c

SHA256
81e5e73452aa8b14f6c6371af2dccab720a32fadfc032b3c8d96f9cdaab9e9df

SHA512
b18f45710bf980cca78ea615b0de4bde0ac7db14a381b1c1b4a14d806ee2900f9251ae94422cd5ac6adcc5ee634f52069e4ae8391862fd7af198b135af7ef703

Download Submit
memory/1196-6-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download