99fca176ecd8441d6ef7bedc3d030492f577c0788e22efa1a41a913cd73d8ae5

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac950a1c99f5f968175e65d3b0c73f8_JaffaCakes118.dll
Size

21KB
MD5

eac950a1c99f5f968175e65d3b0c73f8
SHA1

ff09853d834f9a640f67b55d9fc0cb7c494a2d8e
SHA256

99fca176ecd8441d6ef7bedc3d030492f577c0788e22efa1a41a913cd73d8ae5
SHA512

e690dce2d4052cc4a6af6b1b4b3121008004024a9e8550fd30d8318e45e31a9b1d2604619664f7a5a7126e2128830e0cf79956a38c23cf2b58ab12eae126d96d
SSDEEP

384:QMLWCpCJ6xhD8+kg7QpFls56uDo4WEpF5Z1BRIqd8jXU3bj2OTo:TzZj8+d7QpFHuDoTOFPfL3bj7

Score

8^/10

discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2240-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2240-12-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2540	sc.exe
2692	sc.exe
2560	sc.exe
2768	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	rundll32.exe
Token: SeRestorePrivilege	2240	rundll32.exe
Token: SeRestorePrivilege	2240	rundll32.exe
Token: SeRestorePrivilege	2240	rundll32.exe
Token: SeRestorePrivilege	2240	rundll32.exe
Token: SeRestorePrivilege	2240	rundll32.exe
Token: SeRestorePrivilege	2240	rundll32.exe
Token: SeRestorePrivilege	2240	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2240	3044	rundll32.exe	30
PID 3044 wrote to memory of 2240	3044	rundll32.exe	30
PID 3044 wrote to memory of 2240	3044	rundll32.exe	30
PID 3044 wrote to memory of 2240	3044	rundll32.exe	30
PID 3044 wrote to memory of 2240	3044	rundll32.exe	30
PID 3044 wrote to memory of 2240	3044	rundll32.exe	30
PID 3044 wrote to memory of 2240	3044	rundll32.exe	30
PID 2240 wrote to memory of 2776	2240	rundll32.exe	31
PID 2240 wrote to memory of 2776	2240	rundll32.exe	31
PID 2240 wrote to memory of 2776	2240	rundll32.exe	31
PID 2240 wrote to memory of 2776	2240	rundll32.exe	31
PID 2240 wrote to memory of 2768	2240	rundll32.exe	33
PID 2240 wrote to memory of 2768	2240	rundll32.exe	33
PID 2240 wrote to memory of 2768	2240	rundll32.exe	33
PID 2240 wrote to memory of 2768	2240	rundll32.exe	33
PID 2240 wrote to memory of 2540	2240	rundll32.exe	35
PID 2240 wrote to memory of 2540	2240	rundll32.exe	35
PID 2240 wrote to memory of 2540	2240	rundll32.exe	35
PID 2240 wrote to memory of 2540	2240	rundll32.exe	35
PID 2240 wrote to memory of 2692	2240	rundll32.exe	37
PID 2240 wrote to memory of 2692	2240	rundll32.exe	37
PID 2240 wrote to memory of 2692	2240	rundll32.exe	37
PID 2240 wrote to memory of 2692	2240	rundll32.exe	37
PID 2240 wrote to memory of 2560	2240	rundll32.exe	39
PID 2240 wrote to memory of 2560	2240	rundll32.exe	39
PID 2240 wrote to memory of 2560	2240	rundll32.exe	39
PID 2240 wrote to memory of 2560	2240	rundll32.exe	39

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eac950a1c99f5f968175e65d3b0c73f8_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\eac950a1c99f5f968175e65d3b0c73f8_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe import "C:\Users\Admin\skgn.avi"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\System32\sc.exe config PolicyAgent start=auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\System32\sc.exe stop PolicyAgent
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2540
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\System32\sc.exe start PolicyAgent
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2692
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\System32\sc.exe stop PolicyAgent
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Drv.sys

Filesize
3KB

MD5
86ed963a0fd041849ae24cd4fcdca942

SHA1
ea54365008861c6ff615030358c64bdf8fb371c4

SHA256
b67c355311987f9746f79bba49494beacdfcaf657ad9194331cf4361f6d421e5

SHA512
c467b373d8ae9868c37520c54236dbca7d70b1f06802a070c0e10a997cacbadcf9a483b04b5cc57e105c8505fad39a3d21adaddafe54b6ead0e3bbc9413ffe2a

Download Submit
C:\Users\Admin\skgn.avi

Filesize
56KB

MD5
bc8025bc98da7f4ed891c9f9991d3ff1

SHA1
70a69a7fcebe9b43f00a1fa713e3a0621bf3ac6d

SHA256
59b9dc39d69f8b0aa350f550e42e632b396237865776d0ce75477f8fe3f9016f

SHA512
7f772261e003d2df9162ae4aeaab2bda674ee2721b3300cc8b2a2f4904af6bc9c565c7f2c3e67a7394eb1a387860a2544fc5bdc3e6de384b664f8d232ad6acf5

Download Submit
memory/2240-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2240-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download