0023e7760f7688599dba0d05d77a7d8d0f664fd84c93c5cc975c6ca512b98a18

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d675195022267d2ab295d7a95e8db4d1_JaffaCakes118.dll
Size

69KB
MD5

d675195022267d2ab295d7a95e8db4d1
SHA1

174ae5356c9bb54efbc373a47d59a074d3d7462e
SHA256

0023e7760f7688599dba0d05d77a7d8d0f664fd84c93c5cc975c6ca512b98a18
SHA512

c6172f2356e9e84bd9ac25344922b602f08016d63c6a986e81db5877f261cf519dd6ed8a0f91ec0256ff0716cedc427f8c5b2a7c54a691aa68663035be3521b5
SSDEEP

1536:DZt0arWEp41toBV72jOgJCLaBnH3GWk0B:tRrWEp+oTyOLLanHoE

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HookHelp.sys	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1784	2196	rundll32.exe	30
PID 2196 wrote to memory of 1784	2196	rundll32.exe	30
PID 2196 wrote to memory of 1784	2196	rundll32.exe	30
PID 2196 wrote to memory of 1784	2196	rundll32.exe	30
PID 2196 wrote to memory of 1784	2196	rundll32.exe	30
PID 2196 wrote to memory of 1784	2196	rundll32.exe	30
PID 2196 wrote to memory of 1784	2196	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d675195022267d2ab295d7a95e8db4d1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d675195022267d2ab295d7a95e8db4d1_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4FAA.tmp

Filesize
3KB

MD5
fcee3f624bf9f0c9cd525b7460c5e1e8

SHA1
3467a9041c8f81e34b15924904256f782678a98f

SHA256
dcf1f0e20cce044229071e7aa11383ef4631ec8f7be7ceaa4e3e26ee7113d22a

SHA512
05faf7795cb663dda8cfaca31f6b81b7da6bf96c6f54d4bc2693efa870bbdd6c579b7585c0b33173a37ab8a4a46a93bb6d6943a112f0a9fcd291173b7d85c640

Download Submit
C:\name.log

Filesize
60B

MD5
a764045c1199b36daa0811698ce1f92b

SHA1
9f367bac911d786b9d44e52585cb71afb24e7967

SHA256
5bee6dee7219fe42b556542a3fdec752f259c5375ccdf02f6fdef07ce5e07d52

SHA512
444fb66a75a5695127f881c6fb98920769e562213c7a9700af1d79eabd3753609b9caf787ad4c06bac9d72d0eaff40d32073fb368d104d787c06c78aaa6ecf10

Download Submit
memory/1784-2-0x0000000025000000-0x0000000025066000-memory.dmp

Filesize
408KB

Download
memory/1784-4-0x0000000025000000-0x0000000025066000-memory.dmp

Filesize
408KB

Download
memory/1784-3-0x000000002505E000-0x000000002505F000-memory.dmp

Filesize
4KB

Download
memory/1784-1-0x0000000025000000-0x0000000025066000-memory.dmp

Filesize
408KB

Download
memory/1784-0-0x0000000025000000-0x0000000025066000-memory.dmp

Filesize
408KB

Download