22c3f7ec954c60a172155fa508994328a627737b2e1c0ef792cb599931eb7447

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

467fbe613679da69e24bdeacc28cd32f_JaffaCakes118.dll
Size

36KB
MD5

467fbe613679da69e24bdeacc28cd32f
SHA1

eaef5c1c7e9750958a44ff69678a31b70a556cde
SHA256

22c3f7ec954c60a172155fa508994328a627737b2e1c0ef792cb599931eb7447
SHA512

11417fa058fbbea00c8f81139a30253366f698ae77459a3dff3ec853c21f645d18afca10d233631efe0b634362a0f7fe15085379686bb779957b47fdf5c34b1a
SSDEEP

768:7ogYVYCjnn1aeIgg68QtFfThfhVbj9KAAps3nbcuyD7UMa:7w6gg6ZLhf0S3nouy8

Score

8^/10

persistence upx

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\msflxgrdf\Parameters\ServiceDll = "C:\\Windows\\system32\\msflxgrd.ocx.dll"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1884	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/468-3-0x00000000001F0000-0x000000000020D000-memory.dmp	upx
behavioral1/files/0x00080000000120ff-5.dat	upx
behavioral1/memory/1884-7-0x0000000000110000-0x000000000012D000-memory.dmp	upx
behavioral1/memory/468-8-0x00000000001F0000-0x000000000020D000-memory.dmp	upx
behavioral1/memory/1884-9-0x0000000000110000-0x000000000012D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msflxgrd.ocx.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msflxgrd.ocx.dll	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 468	1664	rundll32.exe	31
PID 1664 wrote to memory of 468	1664	rundll32.exe	31
PID 1664 wrote to memory of 468	1664	rundll32.exe	31
PID 1664 wrote to memory of 468	1664	rundll32.exe	31
PID 1664 wrote to memory of 468	1664	rundll32.exe	31
PID 1664 wrote to memory of 468	1664	rundll32.exe	31
PID 1664 wrote to memory of 468	1664	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\467fbe613679da69e24bdeacc28cd32f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\467fbe613679da69e24bdeacc28cd32f_JaffaCakes118.dll,#1
  2⤵
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  PID:468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\msflxgrd.ocx.dll

Filesize
36KB

MD5
467fbe613679da69e24bdeacc28cd32f

SHA1
eaef5c1c7e9750958a44ff69678a31b70a556cde

SHA256
22c3f7ec954c60a172155fa508994328a627737b2e1c0ef792cb599931eb7447

SHA512
11417fa058fbbea00c8f81139a30253366f698ae77459a3dff3ec853c21f645d18afca10d233631efe0b634362a0f7fe15085379686bb779957b47fdf5c34b1a

Download Submit
memory/468-0-0x00000000001E0000-0x00000000001FD000-memory.dmp

Filesize
116KB

Download
memory/468-3-0x00000000001F0000-0x000000000020D000-memory.dmp

Filesize
116KB

Download
memory/468-2-0x00000000001E0000-0x00000000001FD000-memory.dmp

Filesize
116KB

Download
memory/468-1-0x00000000001E0000-0x00000000001FD000-memory.dmp

Filesize
116KB

Download
memory/468-8-0x00000000001F0000-0x000000000020D000-memory.dmp

Filesize
116KB

Download
memory/468-10-0x00000000001E0000-0x00000000001FD000-memory.dmp

Filesize
116KB

Download
memory/468-11-0x00000000001E0000-0x00000000001FD000-memory.dmp

Filesize
116KB

Download
memory/468-12-0x00000000001E0000-0x00000000001FD000-memory.dmp

Filesize
116KB

Download
memory/1884-7-0x0000000000110000-0x000000000012D000-memory.dmp

Filesize
116KB

Download
memory/1884-9-0x0000000000110000-0x000000000012D000-memory.dmp

Filesize
116KB

Download