0191cac2657e1a2c8f1669ce82d0a6fe8328cfa1aa66ac8f51f74def59c0c598

Analysis

max time kernel
113s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 03:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3bd000284699c4342267bd473dd14e8e_JaffaCakes118.dll
Size

36KB
MD5

3bd000284699c4342267bd473dd14e8e
SHA1

3380885f4fc4853d32482963fb77e5abb3b7095a
SHA256

0191cac2657e1a2c8f1669ce82d0a6fe8328cfa1aa66ac8f51f74def59c0c598
SHA512

097ca4d26786e61a026e3ab642fe8d7dfc19507dc4e122793c601caf51e0852c2060e8bda736ea810b5d605347b3629d2d5955279c15f250846573780be71bca
SSDEEP

384:PhfohK86pddylKqvv3d7yz4TaAXUOaKeGTEOtNWieTWZvz:Z0KFOlKqv1Sw7XUOa0ERy

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\windows\\system32\\dmdskngr.dll"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2276	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\dmdskngr.dll	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\system32 \browseui.dll	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2156	1292	rundll32.exe	30
PID 1292 wrote to memory of 2156	1292	rundll32.exe	30
PID 1292 wrote to memory of 2156	1292	rundll32.exe	30
PID 1292 wrote to memory of 2156	1292	rundll32.exe	30
PID 1292 wrote to memory of 2156	1292	rundll32.exe	30
PID 1292 wrote to memory of 2156	1292	rundll32.exe	30
PID 1292 wrote to memory of 2156	1292	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bd000284699c4342267bd473dd14e8e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bd000284699c4342267bd473dd14e8e_JaffaCakes118.dll,#1
  2⤵
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2156

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\dmdskngr.dll

Filesize
12KB

MD5
99a0557dd9b60f6683fa62e02d358e51

SHA1
af9750975110a7b68ca0884647801458290ea0e3

SHA256
3a5b7a458c5a6c9a412425759191e97eb69d3caaba58190d3955125aaf7e3ac7

SHA512
e09b68006dafdc336aca8f8ea2d0e7b38024dd229092f8919664ddb1a86ddc94de77e4224883b02421da2f97e2ef9dd441ac895d7b8dd9b3f9d41f3b1eb8f234

Download Submit