55129d34050b2c028de564e3166611e1d148c26de0972cbe047caf530f118468

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 13:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74593127f50abff5327b3f7038b456d2_JaffaCakes118.dll
Size

19KB
MD5

74593127f50abff5327b3f7038b456d2
SHA1

103c37f6276059a5ff47117b7f638013ccffe407
SHA256

55129d34050b2c028de564e3166611e1d148c26de0972cbe047caf530f118468
SHA512

0cfcc995898d02ae1380fb38a9aa6513cfc49a370cabc77820197fa5d7b09a18b592258e869a02cef828568aae46b9a1f66530bb332a694ab367f303a00020c5
SSDEEP

384:SkOAaqJcwDHGjqinFhRUFttqKtoO5/FLLnUanUMyO:FWTn6tI25/NLX

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "%HOMEFOLDER%, explorer"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1984	2012	rundll32.exe	30
PID 2012 wrote to memory of 1984	2012	rundll32.exe	30
PID 2012 wrote to memory of 1984	2012	rundll32.exe	30
PID 2012 wrote to memory of 1984	2012	rundll32.exe	30
PID 2012 wrote to memory of 1984	2012	rundll32.exe	30
PID 2012 wrote to memory of 1984	2012	rundll32.exe	30
PID 2012 wrote to memory of 1984	2012	rundll32.exe	30
PID 1984 wrote to memory of 1940	1984	rundll32.exe	31
PID 1984 wrote to memory of 1940	1984	rundll32.exe	31
PID 1984 wrote to memory of 1940	1984	rundll32.exe	31
PID 1984 wrote to memory of 1940	1984	rundll32.exe	31
PID 1940 wrote to memory of 1924	1940	cmd.exe	33
PID 1940 wrote to memory of 1924	1940	cmd.exe	33
PID 1940 wrote to memory of 1924	1940	cmd.exe	33
PID 1940 wrote to memory of 1924	1940	cmd.exe	33
PID 1940 wrote to memory of 1924	1940	cmd.exe	33
PID 1940 wrote to memory of 1924	1940	cmd.exe	33
PID 1940 wrote to memory of 1924	1940	cmd.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\74593127f50abff5327b3f7038b456d2_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\74593127f50abff5327b3f7038b456d2_JaffaCakes118.dll,#1
  2⤵
  - Modifies WinLogon for persistence
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\jckd.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 C:\PROGRA~3\APPLIC~1\ntuser.dat,GnoOdkq
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jckd.cmd

Filesize
55B

MD5
6518f774e598407c2b6d18031a2e4b2c

SHA1
cb58f3d656ae9458718561a049a4889a4dbe9d94

SHA256
1819c88bb330fe2569bc65bd99022c3cac2991784a516c45f18d96687f2e16ca

SHA512
62aca41ab32727808237ca272f0a0d39cbbaa2fa7438781502b2853c4e8b6a14afff6d30894f52dc5bbff940ff3b78016e3d44ffb90b832c62ab49ba0db2050f

Download Submit
\ProgramData\ntuser.dat

Filesize
19KB

MD5
ab6f45ca62fa540adad99b2443154095

SHA1
a014160aeaa3feb887121f70fff681686759bc07

SHA256
a206ea649c420d1529e525c76b1cf7080ae8782acdf48ca686bc1ed930c7178e

SHA512
5f9e0d0ee4566e82c2f9432c0f9d577831b91338364417d8a6024e712fee3aeb09ae7964c953c504d1a5dff940fd8f48b198af8c232680e884104621b801ad82

Download Submit
memory/1924-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1924-12-0x0000000000404000-0x0000000000408000-memory.dmp

Filesize
16KB

Download
memory/1924-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1984-0-0x0000000000164000-0x0000000000168000-memory.dmp

Filesize
16KB

Download
memory/1984-14-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads