c3042afa2b8e4d109df7f9552737c79d349ec4d47e11276ca0db6ce77d997a10

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d184629d0db7b62282889bff61f77ebb_JaffaCakes118.dll
Size

21KB
MD5

d184629d0db7b62282889bff61f77ebb
SHA1

261dc53d716d28317751b0e589e9aef491186b26
SHA256

c3042afa2b8e4d109df7f9552737c79d349ec4d47e11276ca0db6ce77d997a10
SHA512

78eee510cf20b03b5bd457db64f3ee89f648b7f97917f5b073a171a4bd92ef778ef9800ac9fd5374dbf2bb2bb370000efcd984f43dd881f44629818e99c36bc7
SSDEEP

384:01wDae1gfqF3QW1dgWnmZ8xb8RHXw8nA0r04D1d97oCCyO:7eIgfq+W1dRmZ8xQnJgw97oCCy

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2524	rundll32.exe
6	2524	rundll32.exe
7	2524	rundll32.exe
8	2524	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\ado\msado12.tlb	cmd.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado12.tlb	cmd.exe
File created	C:\Program Files\Common Files\System\ado\msadoh16.tlb	rundll32.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado12.tlb	cmd.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado12.tlb	cmd.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadoh16.tlb	rundll32.exe
File created	C:\Program Files\Common Files\System\ado\msado18.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2092	ipconfig.exe
2980	ipconfig.exe
2716	ipconfig.exe
2612	ipconfig.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2524	1660	rundll32.exe	31
PID 1660 wrote to memory of 2524	1660	rundll32.exe	31
PID 1660 wrote to memory of 2524	1660	rundll32.exe	31
PID 1660 wrote to memory of 2524	1660	rundll32.exe	31
PID 1660 wrote to memory of 2524	1660	rundll32.exe	31
PID 1660 wrote to memory of 2524	1660	rundll32.exe	31
PID 1660 wrote to memory of 2524	1660	rundll32.exe	31
PID 2524 wrote to memory of 2340	2524	rundll32.exe	32
PID 2524 wrote to memory of 2340	2524	rundll32.exe	32
PID 2524 wrote to memory of 2340	2524	rundll32.exe	32
PID 2524 wrote to memory of 2340	2524	rundll32.exe	32
PID 2340 wrote to memory of 2092	2340	cmd.exe	34
PID 2340 wrote to memory of 2092	2340	cmd.exe	34
PID 2340 wrote to memory of 2092	2340	cmd.exe	34
PID 2340 wrote to memory of 2092	2340	cmd.exe	34
PID 2524 wrote to memory of 2660	2524	rundll32.exe	35
PID 2524 wrote to memory of 2660	2524	rundll32.exe	35
PID 2524 wrote to memory of 2660	2524	rundll32.exe	35
PID 2524 wrote to memory of 2660	2524	rundll32.exe	35
PID 2660 wrote to memory of 2980	2660	cmd.exe	37
PID 2660 wrote to memory of 2980	2660	cmd.exe	37
PID 2660 wrote to memory of 2980	2660	cmd.exe	37
PID 2660 wrote to memory of 2980	2660	cmd.exe	37
PID 2524 wrote to memory of 3000	2524	rundll32.exe	39
PID 2524 wrote to memory of 3000	2524	rundll32.exe	39
PID 2524 wrote to memory of 3000	2524	rundll32.exe	39
PID 2524 wrote to memory of 3000	2524	rundll32.exe	39
PID 2524 wrote to memory of 2832	2524	rundll32.exe	40
PID 2524 wrote to memory of 2832	2524	rundll32.exe	40
PID 2524 wrote to memory of 2832	2524	rundll32.exe	40
PID 2524 wrote to memory of 2832	2524	rundll32.exe	40
PID 2524 wrote to memory of 2956	2524	rundll32.exe	43
PID 2524 wrote to memory of 2956	2524	rundll32.exe	43
PID 2524 wrote to memory of 2956	2524	rundll32.exe	43
PID 2524 wrote to memory of 2956	2524	rundll32.exe	43
PID 2956 wrote to memory of 2716	2956	cmd.exe	45
PID 2956 wrote to memory of 2716	2956	cmd.exe	45
PID 2956 wrote to memory of 2716	2956	cmd.exe	45
PID 2956 wrote to memory of 2716	2956	cmd.exe	45
PID 2524 wrote to memory of 2580	2524	rundll32.exe	46
PID 2524 wrote to memory of 2580	2524	rundll32.exe	46
PID 2524 wrote to memory of 2580	2524	rundll32.exe	46
PID 2524 wrote to memory of 2580	2524	rundll32.exe	46
PID 2580 wrote to memory of 2612	2580	cmd.exe	48
PID 2580 wrote to memory of 2612	2580	cmd.exe	48
PID 2580 wrote to memory of 2612	2580	cmd.exe	48
PID 2580 wrote to memory of 2612	2580	cmd.exe	48

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d184629d0db7b62282889bff61f77ebb_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d184629d0db7b62282889bff61f77ebb_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all > "C:\Program Files\Common Files\System\ado\msado12.tlb"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all > "C:\Program Files\Common Files\System\ado\msado12.tlb"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Program Files\Common Files\System\ado\winmgmt.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del c:\xx_xx.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all > "C:\Program Files\Common Files\System\ado\msado12.tlb"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all > "C:\Program Files\Common Files\System\ado\msado12.tlb"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\ado\msado12.tlb

Filesize
1KB

MD5
00a4bc0e13bb9ed18658840335b18f54

SHA1
360e9e5267aa318c39038d707298cdbd33538c43

SHA256
93a296c6b2d804acd56f7c991f1d4d6c310c8142afe20d7cc975c28dbdfa6972

SHA512
670c7cda0a5022e3b41706d6fece2070f61be53342030456a3fabfceb883d85210478564b5161164d586b9844cd33d9cec17b58eb00420e772f5808b94793294

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads