c5b4087ffcc898d9acb757cf465a31018f835d1c0bb8176d8c9885914cc1d6a5

Analysis

max time kernel
147s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 15:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96a533ad60e50d9e49a9a14cb533be6e_JaffaCakes118.dll
Size

109KB
MD5

96a533ad60e50d9e49a9a14cb533be6e
SHA1

4853f8b698cd7c401b2f563a2ade5e779c85ac70
SHA256

c5b4087ffcc898d9acb757cf465a31018f835d1c0bb8176d8c9885914cc1d6a5
SHA512

37cfae19263d034cd32664f2f7f515b1c972a01052ee8fecd9e0aebbf0035ef0266b39b999314edd96dda7304d1c518482cfa5f85869869a6b0cdaba6f790165
SSDEEP

1536:SRRahOm52vcfKdqvHeE+3mnjRYLx1I0u4q52aHqMFooZhZWlYI/UH5ljaDFeTULT:SRRWgYD7OHq52apxZf1K5FQhtWvd

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\BITS\ParametErs\ServiceDll = "C:\\Windows\\system32\\ulib.dll"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ulib.dll	rundll32.exe
File created	C:\Windows\SysWOW64\ulib.dll	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3660	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3660	4904	rundll32.exe	83
PID 4904 wrote to memory of 3660	4904	rundll32.exe	83
PID 4904 wrote to memory of 3660	4904	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96a533ad60e50d9e49a9a14cb533be6e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\96a533ad60e50d9e49a9a14cb533be6e_JaffaCakes118.dll,#1
  2⤵
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3660-0-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/3660-1-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/3660-2-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/3660-3-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download