Overview

overview

8

Static

static

3

d9a8edbaab...18.dll

windows7-x64

8

d9a8edbaab...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9a8edbaab077b8601bac5369b1636e9_JaffaCakes118.dll

  • Size

    48KB

  • MD5

    d9a8edbaab077b8601bac5369b1636e9

  • SHA1

    b5f8dd5f6e3fd4a794a3eadce1e26a34bfb7dc7e

  • SHA256

    7134e8b04c259a4d339f12f138ee2d15f150df7b17063eac4c656711aebd24c4

  • SHA512

    e097cbaf056a394230f02b2b46a2299f950327d2ccb43817759cc0d000ce42265c59b188f28968ae88a21889eda80d7049cd505f2096a92de4850cb61753da6e

  • SSDEEP

    1536:cG93SLvzB6vzPBqNPOo6jK3OXBb62feVaGP7I9XWrz4+w:cG93SLvzGD+POo66OXVUaGPM9XWrz4d

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2980
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:3024
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:3136
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:3588
            • C:\Windows\system32\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\d9a8edbaab077b8601bac5369b1636e9_JaffaCakes118.dll,#1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4716
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32.exe C:\Users\Admin\AppData\Local\Temp\d9a8edbaab077b8601bac5369b1636e9_JaffaCakes118.dll,#1
                3⤵
                • Blocklisted process makes network request
                • Adds Run key to start application
                • Drops file in System32 directory
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2352
                • C:\Windows\SysWOW64\RunDll32.exe
                  RunDll32 "C:\Users\Admin\AppData\Local\Temp\d9a8edbaab077b8601bac5369b1636e9_JaffaCakes118.dll",Init
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:3800
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
            1⤵
              PID:3720
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:3904
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:4004
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                    PID:4068
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:680
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:3608
                      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                        1⤵
                          PID:1420
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:4228
                          • C:\Windows\system32\backgroundTaskHost.exe
                            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                            1⤵
                              PID:776

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\SysWOW64\Speech\msethost.dll
                              Filesize

                              48KB

                              MD5

                              d9a8edbaab077b8601bac5369b1636e9

                              SHA1

                              b5f8dd5f6e3fd4a794a3eadce1e26a34bfb7dc7e

                              SHA256

                              7134e8b04c259a4d339f12f138ee2d15f150df7b17063eac4c656711aebd24c4

                              SHA512

                              e097cbaf056a394230f02b2b46a2299f950327d2ccb43817759cc0d000ce42265c59b188f28968ae88a21889eda80d7049cd505f2096a92de4850cb61753da6e

                              Download Submit

                            • memory/2352-0-0x0000000075850000-0x0000000075871000-memory.dmp

                              Filesize

                              132KB

                              Download

                            • memory/2352-10-0x0000000075850000-0x0000000075871000-memory.dmp

                              Filesize

                              132KB

                              Download

                            • memory/3800-7-0x0000000001370000-0x0000000001371000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3800-8-0x0000000001370000-0x0000000001371000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3800-11-0x0000000075850000-0x0000000075871000-memory.dmp

                              Filesize

                              132KB

                              Download