Overview

overview

8

Static

static

3

d0255a0b4e...18.exe

windows7-x64

8

d0255a0b4e...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0255a0b4e468f709c8a8673a1d49035_JaffaCakes118.exe

  • Size

    284KB

  • MD5

    d0255a0b4e468f709c8a8673a1d49035

  • SHA1

    2976712f82b93600921811f59f7cbea17a7a9601

  • SHA256

    2cf948d90f2971e902a2294ae324a23ae1556644ed9ecd463bda41d6f9a7c2db

  • SHA512

    00f93ffbf2ae10c4dfdf74ccc1771b539e0246215cd2805afaf7122eb644bb07a0cf7846dadcd93a7ca361d02f815f0ccbfbceb86fe045e122fac51c85ed6047

  • SSDEEP

    3072:tXbmAgiyC6T8fGJKTtSBKVEHRuoj3Y1BywfD4uwStjAjTUKITcFUeCfx6CZMxqCo:36YLcBKiYfDRwStjgQLc6eBSqSOXoqQ

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Port Monitors 1 TTPs 5 IoCs

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    persistence
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0255a0b4e468f709c8a8673a1d49035_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0255a0b4e468f709c8a8673a1d49035_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2544
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
    1⤵
      PID:2796
    • C:\Windows\System32\spoolsv.exe
      C:\Windows\System32\spoolsv.exe
      1⤵
      • Boot or Logon Autostart Execution: Port Monitors
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2880

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Port Monitors

    1
    T1547.010

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Port Monitors

    1
    T1547.010

    Defense Evasion

    Credential Access

    Discovery

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Program Files (x86)\Internet Explorer\D3DCompiler_47ex.dll
      Filesize

      212KB

      MD5

      555bd7c36b548e940cadcde41aee8674

      SHA1

      c362cacd159529e3df11340a971d56eb8909c217

      SHA256

      c22598023f2540b9bc8775be392c1e71fb2d1b4bb59a3ce9e451cb01a68a5963

      SHA512

      97e4034efce89d43cdd11a30801ad3d04881fb4e67953b09410a2c6b74c25b4356f6316db8be1591aa1fec06927232c35ca66ae61453a07ac06a8e4a91da2735

      Download Submit