f8602ceae168804a17362d2cf8879c6b564d1605d4d3de245fa3a3874661f8aa

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 10:23

Target

8a00ca71bed2f7268dbb1a6e46d531e5_JaffaCakes118.dll
Size

34KB
MD5

8a00ca71bed2f7268dbb1a6e46d531e5
SHA1

8b46539d18d1d248b07b9f6e41d4363648855510
SHA256

f8602ceae168804a17362d2cf8879c6b564d1605d4d3de245fa3a3874661f8aa
SHA512

036d2c0ac3b6ab300fcc572e30ca79ae65e7c57c5d598c4f7985d73fbc9d25b52aefab8b87ab875b8ad61a71c916b3b913965142c32acf0cfb577b70822ea35c
SSDEEP

768:xuC8yipvBquTawK4/aUh7n5UwzN4MUFiQOJtrkT1ST3:4YipvBqCa0l7dJgFE

Score

10^/10

Modifies WinLogon for persistence 2 TTPs 1 IoCs

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = ",C:\\Windows\\system32\\"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3828	rundll32.exe
3828	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3828	1792	rundll32.exe	84
PID 1792 wrote to memory of 3828	1792	rundll32.exe	84
PID 1792 wrote to memory of 3828	1792	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a00ca71bed2f7268dbb1a6e46d531e5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a00ca71bed2f7268dbb1a6e46d531e5_JaffaCakes118.dll,#1
  2⤵
  - Modifies WinLogon for persistence
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3828