820ecf86fcd7788cd6bdef2e4b4d2c6ea03d797422d59148f94b66a3e5a07244

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28e21fce53fb67e450f9a8b022dc5e9_JaffaCakes118.dll
Size

4.2MB
MD5

b28e21fce53fb67e450f9a8b022dc5e9
SHA1

5d342122cb350b15efd3eb19b2a751fe5943a510
SHA256

820ecf86fcd7788cd6bdef2e4b4d2c6ea03d797422d59148f94b66a3e5a07244
SHA512

b6a8a68f0a439eebe9ce1e38d4e545503dc278ec4039703e9eac568ef337c36084e22c912e5d07664ecd4b56286f27a6257833594cbf1d25c634d362c7b77c9f
SSDEEP

6144:zS4wnO0WX+enrnWLg3QT2OB+mKiPBlp83bv56G8GaN:mJO0WueDH3QTILiPBibvT0

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3036	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllwexp.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\dllwexp.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3036	3032	rundll32.exe	31
PID 3032 wrote to memory of 3036	3032	rundll32.exe	31
PID 3032 wrote to memory of 3036	3032	rundll32.exe	31
PID 3032 wrote to memory of 3036	3032	rundll32.exe	31
PID 3032 wrote to memory of 3036	3032	rundll32.exe	31
PID 3032 wrote to memory of 3036	3032	rundll32.exe	31
PID 3032 wrote to memory of 3036	3032	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b28e21fce53fb67e450f9a8b022dc5e9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b28e21fce53fb67e450f9a8b022dc5e9_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\dllwexp.dll

Filesize
5.4MB

MD5
b082daca7b19a40504f83f2050c44cce

SHA1
9d9f145fe550ea1e731e50dd1cd7c7a4b67c1f5b

SHA256
5d151667f9990c03fd2fee2e167dd6063cfd3c8b2b2d99d48a97d87db2d1bc7d

SHA512
ef1fb8f7c74f905220102ae6a13c8d3a47e2f98afdf1483c1d52134ea180b0be3231b34df75de68ec638580fc8224e8fa8576804da72103c17685dec0cd10d33

Download Submit
memory/3036-0-0x0000000000200000-0x000000000023E000-memory.dmp

Filesize
248KB

Download
memory/3036-2-0x00000000006F0000-0x0000000000747000-memory.dmp

Filesize
348KB

Download
memory/3036-8-0x0000000000150000-0x0000000000157000-memory.dmp

Filesize
28KB

Download
memory/3036-9-0x0000000000150000-0x0000000000157000-memory.dmp

Filesize
28KB

Download
memory/3036-22-0x0000000000800000-0x0000000000857000-memory.dmp

Filesize
348KB

Download
memory/3036-28-0x0000000000160000-0x0000000000167000-memory.dmp

Filesize
28KB

Download
memory/3036-21-0x0000000000800000-0x0000000000857000-memory.dmp

Filesize
348KB

Download
memory/3036-19-0x0000000000750000-0x000000000078E000-memory.dmp

Filesize
248KB

Download
memory/3036-35-0x0000000000750000-0x000000000078E000-memory.dmp

Filesize
248KB

Download
memory/3036-34-0x0000000000200000-0x000000000023E000-memory.dmp

Filesize
248KB

Download