d4748f12d7aa32a1bb9bdb45195975690552614244092de9f8c371cfcb72ed38

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe
Size

49KB
MD5

48c5ea4e813e1518d26f92632f52b75a
SHA1

9ae4aa4d6449e5f0f30267a19efe7853a5997f04
SHA256

d4748f12d7aa32a1bb9bdb45195975690552614244092de9f8c371cfcb72ed38
SHA512

7b877b8a139f363b3faa1c03fa2e80954081a0a2480a0effcaa0a9c6b8426b9a3a18f1eb3b641a4a702b4845cd68b274280dd8e904efa51908759f72de9faaa5
SSDEEP

1536:vnEkah9FisULYtapaO4IWzLhhHRCRuT/IdYr:vEr1ULYWaOQL/H4Qzr

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	2312	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe
2312	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\ddcYrRki.dll,#1"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ddcYrRki.dll	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ddcYrRki.dll	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\ddcYrRki.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe
1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 612	1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe	5
PID 1636 wrote to memory of 2312	1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe	88
PID 1636 wrote to memory of 2312	1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe	88
PID 1636 wrote to memory of 2312	1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe	88
PID 1636 wrote to memory of 1420	1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe	89
PID 1636 wrote to memory of 1420	1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe	89
PID 1636 wrote to memory of 1420	1636	48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe	89

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\ddcYrRki.dll,a
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mlJCTNHB.bat "C:\Users\Admin\AppData\Local\Temp\48c5ea4e813e1518d26f92632f52b75a_JaffaCakes118.exe"
  2⤵
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mlJCTNHB.bat

Filesize
63B

MD5
bf024437e200be91ceed11741f76fd48

SHA1
d3bf7995a1c6212546144f0a5680ab7f086ade5d

SHA256
68eeacc2a76a5413830455c05bf3e7dbf5ac8efcca3d4406d0b00a25cd37b51b

SHA512
fd1107c196ad816e56ada6bbfd043b3a7c22fa6feace4dc399f73650a2d0a2ebd08620adac9515d0f9327b1ea3a6b1432b4d3c26211a140fb695710a3edbae94

Download Submit
C:\Windows\SysWOW64\ddcYrRki.dll

Filesize
36KB

MD5
56d655c36f92760d8168dd56f2d8274e

SHA1
64279a1a0dfd01949e3a8669461d88763c9d3b38

SHA256
954609e7570d1c7f78d821d386a3b0b70e170ee5182b2d3cc8aead04b895f574

SHA512
b9bb179f31a42c119f270a0087a79c670899226f31e472de8bec8c2db708ac99748be33a44f63ceddeb26b97734da28c31f788a6bbfcd70159aa4d0a1cbe3d0c

Download Submit
memory/1636-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1636-1-0x0000000000570000-0x0000000000575000-memory.dmp

Filesize
20KB

Download
memory/1636-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1636-8-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1636-10-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1636-11-0x0000000000570000-0x0000000000575000-memory.dmp

Filesize
20KB

Download
memory/2312-20-0x0000000000F60000-0x0000000000F65000-memory.dmp

Filesize
20KB

Download
memory/2312-19-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2312-22-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download