fb6dd5f8e6fd51478af13fffec5c7e9e53e47d3829a439f0290fdbc18d672736

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 11:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e8f70b886686778f4895fa779464f14_JaffaCakes118.dll
Size

468KB
MD5

8e8f70b886686778f4895fa779464f14
SHA1

d4c9bc47fcaa574b02d60a6d236eed4a43e23163
SHA256

fb6dd5f8e6fd51478af13fffec5c7e9e53e47d3829a439f0290fdbc18d672736
SHA512

1f886a39e56c79113f785a10982b2843c2f17d07c7fdb33bee3992c18e9bda5214b53136afef930e10546eeea37f0214cc168d94ad01e4310ba00a22d9a9b681
SSDEEP

12288:ICTtmF/aOiHI4grxo7Xgy7v32lAvBu1+XHLC5:ICBmF/aOj4grCbgy7PAA51HLC5

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	lodctr.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\inf\SQL_Anywhere_10\000C\dbctrs10.ini	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\0007\dbctrs10.ini	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\0011\dbctrs10.ini	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\0804\dbctrs10.ini	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\sqlactnm.h	lodctr.exe
File opened for modification	C:\Windows\inf\SQL_Anywhere_10\sqlactnm.h	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\0009\dbctrs10.ini	lodctr.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unlodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lodctr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2752	2460	regsvr32.exe	31
PID 2460 wrote to memory of 2752	2460	regsvr32.exe	31
PID 2460 wrote to memory of 2752	2460	regsvr32.exe	31
PID 2460 wrote to memory of 2752	2460	regsvr32.exe	31
PID 2460 wrote to memory of 2752	2460	regsvr32.exe	31
PID 2460 wrote to memory of 2752	2460	regsvr32.exe	31
PID 2460 wrote to memory of 2752	2460	regsvr32.exe	31
PID 2752 wrote to memory of 2836	2752	regsvr32.exe	32
PID 2752 wrote to memory of 2836	2752	regsvr32.exe	32
PID 2752 wrote to memory of 2836	2752	regsvr32.exe	32
PID 2752 wrote to memory of 2836	2752	regsvr32.exe	32
PID 2752 wrote to memory of 2432	2752	regsvr32.exe	34
PID 2752 wrote to memory of 2432	2752	regsvr32.exe	34
PID 2752 wrote to memory of 2432	2752	regsvr32.exe	34
PID 2752 wrote to memory of 2432	2752	regsvr32.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8e8f70b886686778f4895fa779464f14_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\8e8f70b886686778f4895fa779464f14_JaffaCakes118.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\unlodctr.exe
    unlodctr SQL_Anywhere_10
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\lodctr.exe
    lodctr dbctrs10.ini
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dbctrs10.ini

Filesize
107KB

MD5
6b293c76e5f34fef64ab3da27a18a6c8

SHA1
2d32527b006ec935ec296e94b9c36f97e39a9186

SHA256
d81464266350203bd8033a33399bc63bc5e3d18d5b3972fcd68b005b1d51e2ab

SHA512
f3c22ff28d4d99054a5bb79f4af32108c6fcc3d59d7f150ab56da6bd8f3b55ee3c8cab8fa5c13b1583c6b09da5a5cf76266d7c7ee09c48cbdf2fca26607d964f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlactnm.h

Filesize
4KB

MD5
4820834e998beaf599ee05ad783b7723

SHA1
00fea601f057169691ca4427b47cadb292134c95

SHA256
94df24c5c5cf8f7faa2ee7a09dec407d26bbcce6bd983e37a52cfc6f93576cf3

SHA512
3b7bf19d20b2ba265e956c772475f18e8d36fb2a0b054f3afd30db6d1d0303cf4f07227a4053bb841b87d7142b92d8b1de01db6c3d38cbc8866f1caa16ece693

Download Submit
memory/2752-0-0x0000000065150000-0x00000000651C5000-memory.dmp

Filesize
468KB

Download