2c9dea2f7e34ef446c3e772c82412f327e9388a541fbd93342b7c9afd366b2d5

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 14:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Size

118KB
MD5

eb8c2a320e4274b0644275f175c11933
SHA1

1a73da3c9e00cbd5e39248ed8354a0ea39fb2a06
SHA256

2c9dea2f7e34ef446c3e772c82412f327e9388a541fbd93342b7c9afd366b2d5
SHA512

31235d2c08dbb6d492526ce37a7901c57cd622a9fa5c0d20b582c47a6b3110dfd79dedef0ee16dcb011915c3f1b4ac85e81818383452dcd67076d84b4699f7b3
SSDEEP

1536:3GwjUogFr7ebusFJ0jvBL10IcSnrGQ1OyOBDCG3XpYD+vVtXCuKZaF9ECM+yYD7K:3GwArCn8ntntSBD/JDXSuY3C5TD7nK

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
2704	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Disker = "rundll32.exe C:\\Windows\\system32\\HIMYM.DLL,DW"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HIMYM.DLL	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
Token: SeDebugPrivilege	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2788	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2788	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2788	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2788	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2788	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2788	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2788	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2704	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2704	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2704	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2704	2400	eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\HIMYM.DLL,DW
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\eb8c2a320e4274b0644275f175c11933_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\HIMYM.DLL

Filesize
41KB

MD5
289fedb764c9e115b8df15aec100083b

SHA1
830252d9adc113fee1dd4c6916c51138f5b2d1e2

SHA256
c878cdd27229e93ac23ea0c18386e6b62d6886b224f320d58472e60acc1f0fbe

SHA512
c00ff46be81a20be2c464f2de55aff6a348ae60f5801d05efbf88221bf1806b4c07bda300ed6515889f9ad3fd6c3f04a7ecc321f91c136408ed62e2e0f343853

Download Submit
memory/2400-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2400-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2704-12-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/2704-11-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2704-14-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2788-8-0x0000000000190000-0x0000000000193000-memory.dmp

Filesize
12KB

Download
memory/2788-7-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download