854e53eb74971899feded9c773b2e6ae66cc0c819d17b1e9d8ebd9f01e23bf84

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 16:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a7520b54b10a6a515b20c5b617ecc68d_JaffaCakes118.dll
Size

38KB
MD5

a7520b54b10a6a515b20c5b617ecc68d
SHA1

66f65ddb8e0a34797c60f9caf78f155f3c808505
SHA256

854e53eb74971899feded9c773b2e6ae66cc0c819d17b1e9d8ebd9f01e23bf84
SHA512

8a3fea88dd99954a5148951d271ee436f5287dcab7e9e5b4ff4bd3e0663e4b0d5eda33f871c4e00e33d72e5d9965b9f5f0b6e54d4f9067ce66c99f4ae9462d06
SSDEEP

768:fLlMg/ija+1I/5Ji9tCSuOvY+SWO8DtDG/zO39CKCf6TYV9:fLlJJQtiZNYDGSCKc9

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rundll32.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RCXC90D.tmp	rundll32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys16.exe	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys16.exe	rundll32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys16.dll	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys16.dll	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
312	sys16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 2440	344	rundll32.exe	84
PID 344 wrote to memory of 2440	344	rundll32.exe	84
PID 344 wrote to memory of 2440	344	rundll32.exe	84
PID 2440 wrote to memory of 312	2440	rundll32.exe	88
PID 2440 wrote to memory of 312	2440	rundll32.exe	88
PID 2440 wrote to memory of 312	2440	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7520b54b10a6a515b20c5b617ecc68d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7520b54b10a6a515b20c5b617ecc68d_JaffaCakes118.dll,#1
  2⤵
  - Checks computer location settings
  - Drops startup file
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys16.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys16.exe"
    3⤵
    - Executes dropped EXE
    PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys16.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/2440-17-0x0000000000120000-0x0000000000133000-memory.dmp

Filesize
76KB

Download