Overview

overview

7

Static

static

3

b1f6dd0e74...18.dll

windows7-x64

5

b1f6dd0e74...18.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 03:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1f6dd0e743530ad2ed98e0d1b7387d1_JaffaCakes118.dll

  • Size

    25KB

  • MD5

    b1f6dd0e743530ad2ed98e0d1b7387d1

  • SHA1

    2af8bb54b4fabbd567241e794dd2b7f82f2a9eb2

  • SHA256

    e7e35d583a1ebe2a6663f4b11ba88b238fd65239a72e5d3a0b5ca57852c38de9

  • SHA512

    63ad80e47e66acb451793e7a558b1218c5df0d18da88ce93342b23fb51834268b5dd468ac79684bcca147c8871419d9d6f9bd759c28b59db9f4dfaa34f2b102a

  • SSDEEP

    768:7HBn+plZ/RZaOW9JOc5ZyREURXv3fA+T2XAGSVM:7Bn+R5cz+jKefh+AvM

Score
5/10
defense_evasiondiscoveryprivilege_escalation

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
    defense_evasionprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1f6dd0e743530ad2ed98e0d1b7387d1_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1f6dd0e743530ad2ed98e0d1b7387d1_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 "C:\Windows\msvcr.dll",_RunAs@0
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Access Token Manipulation: Create Process with Token
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\msvcr.dll
    Filesize

    25KB

    MD5

    b1f6dd0e743530ad2ed98e0d1b7387d1

    SHA1

    2af8bb54b4fabbd567241e794dd2b7f82f2a9eb2

    SHA256

    e7e35d583a1ebe2a6663f4b11ba88b238fd65239a72e5d3a0b5ca57852c38de9

    SHA512

    63ad80e47e66acb451793e7a558b1218c5df0d18da88ce93342b23fb51834268b5dd468ac79684bcca147c8871419d9d6f9bd759c28b59db9f4dfaa34f2b102a

    Download Submit

  • memory/1868-2-0x0000000010000000-0x000000001004C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1868-4-0x0000000010000000-0x000000001004C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1868-3-0x000000001001A000-0x000000001001B000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1868-1-0x0000000010000000-0x000000001004C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1868-0-0x0000000010000000-0x000000001004C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1868-9-0x0000000010000000-0x000000001004C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2720-8-0x0000000010000000-0x000000001004C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2720-10-0x0000000010000000-0x000000001004C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2720-14-0x0000000010000000-0x000000001004C000-memory.dmp

    Filesize

    304KB

    Download