65bf49a9e9c65dc613814fa4a1eb2067cf7029e285205114a12784a5f741d1a8

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e07dcd4aba843776a775f6b2797022_JaffaCakes118.dll
Size

1.1MB
MD5

81e07dcd4aba843776a775f6b2797022
SHA1

7e8e46a2a8cb9a61b70e39d1c6c89b1e5d4f64fa
SHA256

65bf49a9e9c65dc613814fa4a1eb2067cf7029e285205114a12784a5f741d1a8
SHA512

19ce1fe5dcf6a873626eb85663f5f10c19be23b711a7c2eb2687af47876bb74659922cdde1dc841f8fc6346cebb055952315d003c1e61f42c206675f6422b1bd
SSDEEP

24576:SMpZ4OxwR1QcQq/W7ihb4bPWmBLXvPmVpTrdzjs00V:SuNZ7Ib8ZBL2/Xm

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dticem\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81e07dcd4aba843776a775f6b2797022_JaffaCakes118.dll"	regsvr32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\f6d6cdef2a.dll	svchost.exe
File created	C:\Windows\SysWOW64\f6d6cdef2a.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2052	1956	regsvr32.exe	31
PID 1956 wrote to memory of 2052	1956	regsvr32.exe	31
PID 1956 wrote to memory of 2052	1956	regsvr32.exe	31
PID 1956 wrote to memory of 2052	1956	regsvr32.exe	31
PID 1956 wrote to memory of 2052	1956	regsvr32.exe	31
PID 1956 wrote to memory of 2052	1956	regsvr32.exe	31
PID 1956 wrote to memory of 2052	1956	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\81e07dcd4aba843776a775f6b2797022_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\81e07dcd4aba843776a775f6b2797022_JaffaCakes118.dll
  2⤵
  - Server Software Component: Terminal Services DLL
  - System Location Discovery: System Language Discovery
  PID:2052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k dtcGep
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\f6d6cdef2a.dll

Filesize
114B

MD5
6e95ea64a0c6a46fa46c14933af9368e

SHA1
72e272c7088baa094b06a87980fce610ec855480

SHA256
5f714ecb99b72847238394ddc22b0975fc0e38a5100c455e71777096206a8a7f

SHA512
fec832faa4d73a1f1e1a8e93e8d694eb8f473adc8766756d4da5b8250b94223f608a3553d86833ab037723a2b5f40f3c458367c82c303fcc648310f612350360

Download Submit
memory/2052-0-0x0000000002280000-0x0000000002397000-memory.dmp

Filesize
1.1MB

Download
memory/2516-1-0x00000000025C0000-0x00000000026D7000-memory.dmp

Filesize
1.1MB

Download
memory/2516-9-0x00000000025C0000-0x00000000026D7000-memory.dmp

Filesize
1.1MB

Download
memory/2516-23-0x00000000025C0000-0x00000000026D7000-memory.dmp

Filesize
1.1MB

Download