9bb1ae355e58b2d79543fa03167afebe1fe0e275582d96c7ce3547ce31570b9a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc857bb077bf663898f15e0fab8b5db5_JaffaCakes118.dll
Size

11KB
MD5

fc857bb077bf663898f15e0fab8b5db5
SHA1

f6908596a9596e84cb66a7e6077948c2be04806d
SHA256

9bb1ae355e58b2d79543fa03167afebe1fe0e275582d96c7ce3547ce31570b9a
SHA512

bf9f20e8308f364388c3f440409ff0098544dd86e07e9801dd27c01b392bc0c7678b37ecfcd1aded787978d31359a30ff7c7a9ff70baaed0e8c19a108aa76249
SSDEEP

192:GglCNy5/L8rBe6oi/J/kgLeYADlaoyqVuF6xR:AEJ8rc6oCJ/kgKxDllVuF

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3020	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	rundll32.exe

Drops autorun.inf file 1 TTPs 24 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\W:\AutoRun.inf	rundll32.exe
File created	\??\X:\AutoRun.inf	rundll32.exe
File created	\??\L:\AutoRun.inf	rundll32.exe
File created	\??\Q:\AutoRun.inf	rundll32.exe
File created	\??\R:\AutoRun.inf	rundll32.exe
File created	\??\S:\AutoRun.inf	rundll32.exe
File created	\??\T:\AutoRun.inf	rundll32.exe
File created	\??\U:\AutoRun.inf	rundll32.exe
File created	\??\Y:\AutoRun.inf	rundll32.exe
File created	C:\AutoRun.inf	rundll32.exe
File created	\??\H:\AutoRun.inf	rundll32.exe
File created	\??\I:\AutoRun.inf	rundll32.exe
File created	\??\K:\AutoRun.inf	rundll32.exe
File created	\??\O:\AutoRun.inf	rundll32.exe
File created	\??\Z:\AutoRun.inf	rundll32.exe
File created	D:\AutoRun.inf	rundll32.exe
File created	F:\AutoRun.inf	rundll32.exe
File created	\??\M:\AutoRun.inf	rundll32.exe
File created	\??\P:\AutoRun.inf	rundll32.exe
File created	\??\V:\AutoRun.inf	rundll32.exe
File created	\??\E:\AutoRun.inf	rundll32.exe
File created	\??\G:\AutoRun.inf	rundll32.exe
File created	\??\J:\AutoRun.inf	rundll32.exe
File created	\??\N:\AutoRun.inf	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3020	3028	rundll32.exe	82
PID 3028 wrote to memory of 3020	3028	rundll32.exe	82
PID 3028 wrote to memory of 3020	3028	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc857bb077bf663898f15e0fab8b5db5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc857bb077bf663898f15e0fab8b5db5_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240610937.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads