Overview

overview

7

Static

static

3

d69c172a3b...18.dll

windows7-x64

7

d69c172a3b...18.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 15:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d69c172a3bc29e864cf6744e69699770_JaffaCakes118.dll

  • Size

    26KB

  • MD5

    d69c172a3bc29e864cf6744e69699770

  • SHA1

    7f0341790d3911ac99efe55a7d9d23224addc92a

  • SHA256

    00c32106fcbb939aa32e002d1c8211669cfc7d4d9690cf1ec726d428108a80ad

  • SHA512

    cbf768bc60611ec62086b386b697814d241f46cc81cb945f008b5268ec4b61a39afa07ef0b35f8b01b4556a3ba63b56b456780142aeeb49f41173448ec9738a1

  • SSDEEP

    384:GmgT4BTQ0IyKJWpyb7ABGOp4nZCutNGhtIbaAn4YvlPu50nxGxkTliomvhXz0FJX:QTyKjAYE4wJmaIlmkhiokz8X

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:428
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d69c172a3bc29e864cf6744e69699770_JaffaCakes118.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\d69c172a3bc29e864cf6744e69699770_JaffaCakes118.dll,#1
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3044
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Windows\system32\jkkJaawu.dll,a
          3⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          PID:1080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\SysWOW64\jkkJaawu.dll
      Filesize

      26KB

      MD5

      d69c172a3bc29e864cf6744e69699770

      SHA1

      7f0341790d3911ac99efe55a7d9d23224addc92a

      SHA256

      00c32106fcbb939aa32e002d1c8211669cfc7d4d9690cf1ec726d428108a80ad

      SHA512

      cbf768bc60611ec62086b386b697814d241f46cc81cb945f008b5268ec4b61a39afa07ef0b35f8b01b4556a3ba63b56b456780142aeeb49f41173448ec9738a1

      Download Submit

    • memory/428-7-0x0000000000160000-0x0000000000161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1080-19-0x0000000010000000-0x0000000010023000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1080-18-0x0000000010000000-0x0000000010023000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1080-20-0x0000000010000000-0x0000000010023000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1080-21-0x0000000010000000-0x0000000010023000-memory.dmp

      Filesize

      140KB

      Download

    • memory/3044-0-0x0000000010021000-0x0000000010022000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3044-1-0x0000000010000000-0x0000000010023000-memory.dmp

      Filesize

      140KB

      Download

    • memory/3044-2-0x0000000010000000-0x0000000010023000-memory.dmp

      Filesize

      140KB

      Download

    • memory/3044-6-0x0000000010000000-0x0000000010023000-memory.dmp

      Filesize

      140KB

      Download

    • memory/3044-10-0x00000000002A0000-0x00000000002C3000-memory.dmp

      Filesize

      140KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.