281aab749b17ed5a0d4a35cec2f1e87a24bd8a4e455ac03d0bf2de89a5ee9776

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 17:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

abe4360065057e5bbc4d409898b99a79_JaffaCakes118.dll
Size

22KB
MD5

abe4360065057e5bbc4d409898b99a79
SHA1

a45ca180fc76f57b5dc35b1b0f8b6004c746ed9c
SHA256

281aab749b17ed5a0d4a35cec2f1e87a24bd8a4e455ac03d0bf2de89a5ee9776
SHA512

5f7e2a50575b8db3e0bc2b5b6986aff2619091c2f12b9a5f0269b8e0290a7ca44e041fc4a16b929f5e66f3ed048c4c9fabf9a7aeb1a05364ecddf097a5b9a399
SSDEEP

384:8suEaJKetkmlq9Rn3eRrWou7Cts0/VT54MnaDftTScFzTwJ3t8:92J1kmlqhE4MnaRTJTwJ3

Score

8^/10

discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2840-3-0x0000000000180000-0x00000000001A0000-memory.dmp	upx
behavioral1/memory/2840-15-0x0000000000180000-0x00000000001A0000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2700	sc.exe
2920	sc.exe
1876	sc.exe
2848	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe
Token: SeRestorePrivilege	2840	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2840	2788	rundll32.exe	30
PID 2788 wrote to memory of 2840	2788	rundll32.exe	30
PID 2788 wrote to memory of 2840	2788	rundll32.exe	30
PID 2788 wrote to memory of 2840	2788	rundll32.exe	30
PID 2788 wrote to memory of 2840	2788	rundll32.exe	30
PID 2788 wrote to memory of 2840	2788	rundll32.exe	30
PID 2788 wrote to memory of 2840	2788	rundll32.exe	30
PID 2840 wrote to memory of 2892	2840	rundll32.exe	31
PID 2840 wrote to memory of 2892	2840	rundll32.exe	31
PID 2840 wrote to memory of 2892	2840	rundll32.exe	31
PID 2840 wrote to memory of 2892	2840	rundll32.exe	31
PID 2840 wrote to memory of 2700	2840	rundll32.exe	33
PID 2840 wrote to memory of 2700	2840	rundll32.exe	33
PID 2840 wrote to memory of 2700	2840	rundll32.exe	33
PID 2840 wrote to memory of 2700	2840	rundll32.exe	33
PID 2840 wrote to memory of 2920	2840	rundll32.exe	35
PID 2840 wrote to memory of 2920	2840	rundll32.exe	35
PID 2840 wrote to memory of 2920	2840	rundll32.exe	35
PID 2840 wrote to memory of 2920	2840	rundll32.exe	35
PID 2840 wrote to memory of 1876	2840	rundll32.exe	37
PID 2840 wrote to memory of 1876	2840	rundll32.exe	37
PID 2840 wrote to memory of 1876	2840	rundll32.exe	37
PID 2840 wrote to memory of 1876	2840	rundll32.exe	37
PID 2840 wrote to memory of 2848	2840	rundll32.exe	39
PID 2840 wrote to memory of 2848	2840	rundll32.exe	39
PID 2840 wrote to memory of 2848	2840	rundll32.exe	39
PID 2840 wrote to memory of 2848	2840	rundll32.exe	39

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\abe4360065057e5bbc4d409898b99a79_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\abe4360065057e5bbc4d409898b99a79_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe import "C:\Users\Admin\pdpd.avi"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\System32\sc.exe config PolicyAgent start=auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\System32\sc.exe stop PolicyAgent
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2920
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\System32\sc.exe start PolicyAgent
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1876
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\System32\sc.exe stop PolicyAgent
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Drv.sys

Filesize
4KB

MD5
331d5f62b82aa0e4cb479d010254d2ca

SHA1
1d94ad85b11e39449bd6940878e39d1fef2a5ac5

SHA256
d93181460c7095b0266e756590198eff28099e5ad06b6aeaaafcb3cfbb6065d2

SHA512
fd0d6eeb5e01aa81e30f749d8eaf94c81a7fe4e4af1934e60370a2b22141dd847fcda8e40886f71d5b41e560ddca702b5bf490422f1d9775bd73192a953a9ed9

Download Submit
C:\Users\Admin\pdpd.avi

Filesize
56KB

MD5
bc8025bc98da7f4ed891c9f9991d3ff1

SHA1
70a69a7fcebe9b43f00a1fa713e3a0621bf3ac6d

SHA256
59b9dc39d69f8b0aa350f550e42e632b396237865776d0ce75477f8fe3f9016f

SHA512
7f772261e003d2df9162ae4aeaab2bda674ee2721b3300cc8b2a2f4904af6bc9c565c7f2c3e67a7394eb1a387860a2544fc5bdc3e6de384b664f8d232ad6acf5

Download Submit
memory/2840-0-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2840-3-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/2840-2-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2840-1-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2840-15-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download