Overview

overview

8

Static

static

7

d36ae5fcfb...18.dll

windows7-x64

8

d36ae5fcfb...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    97s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 03:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d36ae5fcfbb000dcc26e8d6a9b94abe0_JaffaCakes118.dll

  • Size

    21KB

  • MD5

    d36ae5fcfbb000dcc26e8d6a9b94abe0

  • SHA1

    3eabb6be99f934dd457652a3f58a9db6a9a5e162

  • SHA256

    d173150f1dccfa57790e9bae02598ebc620a3b2775d025ff370072f061a30374

  • SHA512

    dc1c7ef7dc478168ca319fe0853c1f6d868fde5bfd501dccd0dd2829aba38e7939cdc3935dcba0741565fd6252b15f488d8d85842c17df0f78069fb67ecb85df

  • SSDEEP

    384:nLWCpCJ6xhNN8S0gPW2KUCphaMTaR3ItDCuV9UAvdOh+/3o:LzZtN8SVKUCpJTaItO4U6di+/

Score
8/10
discoveryevasionexecutionupx

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d36ae5fcfbb000dcc26e8d6a9b94abe0_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d36ae5fcfbb000dcc26e8d6a9b94abe0_JaffaCakes118.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe import "C:\Users\Admin\aeed.avi"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5056
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\System32\sc.exe config PolicyAgent start=auto
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4812
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\System32\sc.exe stop PolicyAgent
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3936
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\System32\sc.exe start PolicyAgent
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:5076
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\System32\sc.exe stop PolicyAgent
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:5116
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Drv.sys
    Filesize

    3KB

    MD5

    6945fab8774c6f201b32f14350048684

    SHA1

    235d164bbd2a7e0f09c863bbf9b59fdc419a1aec

    SHA256

    49415a5dec8f94e98d4f7148bbe3274f05d4599f0675e352080116e4d8478995

    SHA512

    a924d62e29756e543ed6e4d9d051e03680010951f55c1d9f54d12902769a2c03d0d9e08f1b74916982b20a6f4210d8f80f6b9ef4a631f1c9e29f9b1e46d02188

    Download Submit

  • C:\Users\Admin\aeed.avi
    Filesize

    56KB

    MD5

    bc8025bc98da7f4ed891c9f9991d3ff1

    SHA1

    70a69a7fcebe9b43f00a1fa713e3a0621bf3ac6d

    SHA256

    59b9dc39d69f8b0aa350f550e42e632b396237865776d0ce75477f8fe3f9016f

    SHA512

    7f772261e003d2df9162ae4aeaab2bda674ee2721b3300cc8b2a2f4904af6bc9c565c7f2c3e67a7394eb1a387860a2544fc5bdc3e6de384b664f8d232ad6acf5

    Download Submit

  • memory/5100-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5100-12-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download