1833a1e6a01361f452239eec9b3718555037987950b2020b5fc24b659434c833

Analysis

max time kernel
141s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 19:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e0d8a9fde142ba5f3816dd02c75f7973_JaffaCakes118.dll
Size

766KB
MD5

e0d8a9fde142ba5f3816dd02c75f7973
SHA1

c7f020b48b45006c4ac09a7428f71d3449ca2ac6
SHA256

1833a1e6a01361f452239eec9b3718555037987950b2020b5fc24b659434c833
SHA512

e85d850b15e26128d57b82247d7a46ac49cf627504481bfcabddea7be2742fecffb2234457d9ad0f1206581bf7f71b0c2440da5b2d8c6b3dee3c88c5e1ab39b3
SSDEEP

12288:iQkdGwwug6jWVWmQwm/Ve8aAv/nTEqHkwNEllNwZQuApu/unEIZUlxOnY7a+Fk:7k4y9jWVWmQPY8Pv/nYqtElIZCMdIKxY

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\421fad9b78.dl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\421fad9b78.dl	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2328	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2328	2516	rundll32.exe	30
PID 2516 wrote to memory of 2328	2516	rundll32.exe	30
PID 2516 wrote to memory of 2328	2516	rundll32.exe	30
PID 2516 wrote to memory of 2328	2516	rundll32.exe	30
PID 2516 wrote to memory of 2328	2516	rundll32.exe	30
PID 2516 wrote to memory of 2328	2516	rundll32.exe	30
PID 2516 wrote to memory of 2328	2516	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0d8a9fde142ba5f3816dd02c75f7973_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0d8a9fde142ba5f3816dd02c75f7973_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\421fad9b78.dl

Filesize
22B

MD5
edebecbb7f4bf3e0fc28dd8e9dae84e5

SHA1
b554fefaaf3cf01b776a6bdaf48aa64d5e7db94e

SHA256
d41ea740da8818cd779c411d34b7e68bf7991fb935a0a609c7eeb22c1874bccf

SHA512
2bccf28243719ad032ffe2a54de42dc5dd37ffd305f00a6d8d435c85e8d31c6d3f64429ef0972de6e62762e87141f0a2f0a09c862eb9e753dda76fc454ad0de5

Download Submit
memory/2328-0-0x0000000000A50000-0x0000000000B1C000-memory.dmp

Filesize
816KB

Download
memory/2328-1-0x0000000000A50000-0x0000000000B1C000-memory.dmp

Filesize
816KB

Download
memory/2328-22-0x0000000000A50000-0x0000000000B1C000-memory.dmp

Filesize
816KB

Download