12727a7f93111281838c02293346232bea3b58f6d1364d725ad17d74e553808c

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eacce5633e0170dc45e8d9edf9ee5ab8_JaffaCakes118.dll
Size

25KB
MD5

eacce5633e0170dc45e8d9edf9ee5ab8
SHA1

b755446d4409b76fa7d4da060478f32ee9b2ae0b
SHA256

12727a7f93111281838c02293346232bea3b58f6d1364d725ad17d74e553808c
SHA512

46a697ac22f9d70cb61a3cc297162b14fb29e1d38f8da92b35693ce5d02edc97f58fa1fa60945809d4a26e2d2848145a38802817cfb9ecf0f40ae576889743c4
SSDEEP

384:41QOy6IC2Ha/wLJRvWMKlBK1LEhqmOkLmYTT5mgORU:41QqiHRkBK14htdLmYsRU

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	3052	rundll32.exe
4	3052	rundll32.exe
5	3052	rundll32.exe
22	3052	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1460	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\SLDT = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0120795.cpl\",BeginTask 2501499700881173354c004e*193.105.154.210:80"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3052	1560	rundll32.exe	81
PID 1560 wrote to memory of 3052	1560	rundll32.exe	81
PID 1560 wrote to memory of 3052	1560	rundll32.exe	81
PID 3052 wrote to memory of 1596	3052	rundll32.exe	82
PID 3052 wrote to memory of 1596	3052	rundll32.exe	82
PID 3052 wrote to memory of 1596	3052	rundll32.exe	82
PID 3052 wrote to memory of 1460	3052	rundll32.exe	83
PID 3052 wrote to memory of 1460	3052	rundll32.exe	83
PID 3052 wrote to memory of 1460	3052	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eacce5633e0170dc45e8d9edf9ee5ab8_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\eacce5633e0170dc45e8d9edf9ee5ab8_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\0120795.cpl",BeginTask *2501499700881173354*c004e*193.105.154.210:80
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0120795.cpl

Filesize
12KB

MD5
91bb15bbd32a43d7f2400046c9826d36

SHA1
795fc886a6bee411a077b881b7494f3c4658abd6

SHA256
9c162f3b2c0e14e64b83ce45332e5338edfe1121effde94ef11f68786a8c58bb

SHA512
c4b3daea3546cc28ead488e73368d85b6f5d0a80b5fd92692f41184be8f5e8aec0c904eb9b922d278b03e2beeb9802dec4c522b4987e1b0c7ab2f34ccf84d6ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads