dbc6236ccf42a9ef283bd9c779e18d2c98d9fa91e0da92016956cc83ba581ced

Analysis

max time kernel
90s
max time network
20s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe
Size

132KB
MD5

8ec86efd75e1b06ab83f150c625d97e5
SHA1

9beeae370c625b4cd5a8276624a1bd6b9ce0ddab
SHA256

dbc6236ccf42a9ef283bd9c779e18d2c98d9fa91e0da92016956cc83ba581ced
SHA512

21ba84637694055a26c5f015083c021e708b1a648e5761318dde26fea2953daaef42a2b734a1c8ec3de36d5e44443a2be3fdbd63ae7d750eb9a513786438b3bf
SSDEEP

3072:IwjQUimS8Si3JoMNHC/LEWMEvYBj4cMvvl1ZBrT0m+w20LHxZ:ImQJT8bv5C/LEWvvYZmzjg4Lf

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2540	rundll32.exe
2540	rundll32.exe
2540	rundll32.exe
2540	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\fxcrtLite = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\odbcWIlink\\fxcrtLite.dll\",EapMaindrv appWebplugin"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2540	2748	8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2540	2748	8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2540	2748	8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2540	2748	8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2540	2748	8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2540	2748	8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2540	2748	8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2912	2540	rundll32.exe	32
PID 2540 wrote to memory of 2912	2540	rundll32.exe	32
PID 2540 wrote to memory of 2912	2540	rundll32.exe	32
PID 2540 wrote to memory of 2912	2540	rundll32.exe	32
PID 2540 wrote to memory of 2912	2540	rundll32.exe	32
PID 2540 wrote to memory of 2912	2540	rundll32.exe	32
PID 2540 wrote to memory of 2912	2540	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ec86efd75e1b06ab83f150c625d97e5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Nativeobjsvc.dll", EapMaindrv DfrgUserAgent
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\odbcWIlink\fxcrtLite.dll",EapMaindrv appWebplugin
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nativeobjsvc.dll

Filesize
148KB

MD5
1a0318710a0f8cb9db4b1b3d75cac0cc

SHA1
cc94379a2f3e03e188e31696ff50ec0c043b7488

SHA256
2532baed38224d31f1448646ea6e70b531379dda6527b14c9b234c28ffd11042

SHA512
c027a92b3c9e80b2ffb017f4b1555cb054f00cee40b8039fb72ac15e777d2b94ff3601659c625c7c2b2a8584a989a4878db338dac6afbf906f7fac633f12b0d6

Download Submit
memory/2748-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads