Overview

overview

8

Static

static

3

3e6e53f79e...18.dll

windows7-x64

8

3e6e53f79e...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e6e53f79e7fb37d02f26b2c21175acd_JaffaCakes118.dll

  • Size

    60KB

  • MD5

    3e6e53f79e7fb37d02f26b2c21175acd

  • SHA1

    f0831bd5acd5052863b8bf4f08942936ade086bb

  • SHA256

    83300ba5355abdcaa2f3955b475a642d6599193e9b9dc2ee4963895f26e855c9

  • SHA512

    cd3e64136e2da2e58c8ceeed5e57f888665ed145f2712faf31beefacd70e5fc3c7ffddd3025b11da80707681d8c399ce1cc1defdfe9be8e8c8855e837d91b58f

  • SSDEEP

    768:wBZX+Nzp4mjNx4Ds4l6iE18++uWdB9GBc81f+Iw5BLJUXNPgH9nmscY:wPdc1inuWdB9r8YXPJY2BmscY

Score
8/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e6e53f79e7fb37d02f26b2c21175acd_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e6e53f79e7fb37d02f26b2c21175acd_JaffaCakes118.dll,#1
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\a.reg
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\SysWOW64\regedit.exe
          "regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\a.reg"
          4⤵
          • Runs .reg file with regedit
          PID:4836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a.reg
    Filesize

    152B

    MD5

    b100f5324ef74ded0b998e64d07a2e19

    SHA1

    40b0d7f51bf2dd8451f1b723d21355c471a5fa46

    SHA256

    3db613d24a75ae220891698c055e1c580a42e58564f568a0510db87581cc2042

    SHA512

    c12391bb37c334074f7d7e1257b6364fd5cbce848e0a8fe15b8326f54fd9568fe3baec58618c4334027a774a06a08ec249cb71db925c1f85feee6a3d3a816c04

    Download Submit

  • memory/3136-0-0x0000000010000000-0x000000001000F000-memory.dmp

    Filesize

    60KB

    Download