0e98b123a994651d4cbc906da9de32c0c8c8ad3e826a0f0c7d610650f11d4f82

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f09e2dcb43051868be3ea4a69b6c7bc1_JaffaCakes118.dll
Size

180KB
MD5

f09e2dcb43051868be3ea4a69b6c7bc1
SHA1

64c7d8f309a72089654bfb387e8c262ff8a22e44
SHA256

0e98b123a994651d4cbc906da9de32c0c8c8ad3e826a0f0c7d610650f11d4f82
SHA512

7c24f7992aa18fae477a2c254ba8df9e47ffd962037e09e2b9eddd5ee8cf24792dc25c38374fe89628635b575d366c0f65b2f11dfdd303f5000f5360b7998236
SSDEEP

3072:TFnm3+GvvGBeQYejpXIAq2tn2TBfki43y97FozS4Oq1sqH73oGC:ZKvkwejpBqun2TB8i4i0zLOosqHkG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4696	msupdate.exe

Loads dropped DLL 2 IoCs

pid	Process
4832	rundll32.exe
4832	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\ECELP4.ACM	msupdate.exe
File created	\??\c:\windows\SysWOW64\shelldoc.dll	msupdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\MSAgent\AGENTCPD.DLL	msupdate.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 4832	2908	rundll32.exe	82
PID 2908 wrote to memory of 4832	2908	rundll32.exe	82
PID 2908 wrote to memory of 4832	2908	rundll32.exe	82
PID 4832 wrote to memory of 4696	4832	rundll32.exe	83
PID 4832 wrote to memory of 4696	4832	rundll32.exe	83
PID 4832 wrote to memory of 4696	4832	rundll32.exe	83
PID 4696 wrote to memory of 2384	4696	msupdate.exe	85
PID 4696 wrote to memory of 2384	4696	msupdate.exe	85
PID 4696 wrote to memory of 2384	4696	msupdate.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f09e2dcb43051868be3ea4a69b6c7bc1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f09e2dcb43051868be3ea4a69b6c7bc1_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\msupdate.exe
    C:\Users\Admin\AppData\Local\Temp\msupdate.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 C:\Windows\MSAgent\AGENTCPD.DLL _start@16 0
      4⤵
      System Location Discovery: System Language Discovery
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msupdate.exe

Filesize
104KB

MD5
ddc9915a5158a9560ad1ef2f16cce9a6

SHA1
a870bf68ad03940ff2fc61a4ba2c5c1cc53aa252

SHA256
9e77faba3137c28572ce9e7bc62897139451aeb99c68958c457214cf8b1cc723

SHA512
7da029adb7137b9b4b92e6fefbbb114ec91a312ab87284e5cd2ff3099e9f7a4aea478171112755592eb9f99820a19525c42c62da91ef0dc80d677bd14f874f49

Download Submit
C:\Windows\SysWOW64\shelldoc.dll

Filesize
52KB

MD5
03f8cfdf5e6d9ecdff1cab3e47d39f44

SHA1
a9fbfe65a3d44a55bfdf0bd01c6c61f436139447

SHA256
6eb00b34d1daffa49b2f4c90841705b2c994563bde672bf35eb1c46cdb19a1ed

SHA512
6e7cec13f27e602bf5105c1f34417d4ceb2ce614a9b4cbe0636a8af68988348297ed5300ece7d4af802c23d476dcb9d0dc528b0b8efb85a64302f07b8af0ea5c

Download Submit
memory/4832-12-0x0000000000580000-0x000000000058F000-memory.dmp

Filesize
60KB

Download