83e30f6099aa9c733577c7b01ab1e4e722010a6aae35bf5852958c6a0200a307

Analysis

max time kernel
150s
max time network
87s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c41b32dc40d11c75fa9f98ce3b6ec2_JaffaCakes118.dll
Size

32KB
MD5

81c41b32dc40d11c75fa9f98ce3b6ec2
SHA1

1849f8615d3c76cc7ea2b201b80cd66b55cf78f5
SHA256

83e30f6099aa9c733577c7b01ab1e4e722010a6aae35bf5852958c6a0200a307
SHA512

f60fd84b033c057040bd30b74e4784a9f0fe003a7f20dddc3044794404a58bc4d2e56f086db16121f7e914936bc46eec5874481a3c87ffce9aaf49cfa7e275f6
SSDEEP

384:ZbCrSXpOgj8RYn6B4gmoi6222+01JzRRUvwkUbGSMR9CHomS9M8ZCHomL:JCrSN6SgpUvHovWG5CHy5CHr

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
924	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	rundll32.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
924	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 924	2960	rundll32.exe	30
PID 2960 wrote to memory of 924	2960	rundll32.exe	30
PID 2960 wrote to memory of 924	2960	rundll32.exe	30
PID 2960 wrote to memory of 924	2960	rundll32.exe	30
PID 2960 wrote to memory of 924	2960	rundll32.exe	30
PID 2960 wrote to memory of 924	2960	rundll32.exe	30
PID 2960 wrote to memory of 924	2960	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\81c41b32dc40d11c75fa9f98ce3b6ec2_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\81c41b32dc40d11c75fa9f98ce3b6ec2_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E5FC.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit