dba61a4f5e8b0a8f7b9a440ae04356408dc035cee48c2ecf83b66de714807824

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 18:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

029e1e7cab4e787ff3685f7f07e438f3_JaffaCakes118.dll
Size

83KB
MD5

029e1e7cab4e787ff3685f7f07e438f3
SHA1

bdaf333a194da7313f3cc026fe7a48cb358ccc1d
SHA256

dba61a4f5e8b0a8f7b9a440ae04356408dc035cee48c2ecf83b66de714807824
SHA512

b9599922c481fd87f4bac3a71972793679ea5835438eb2a74d0ba35f032bdc296b2f359e84aa58e2b375e7f50439afcd07c9e1dd83f2ba0b481b1c2a43ceb858
SSDEEP

1536:4/kFFFLGLgra3e3SQn13B0SBwZzppVZKN1CRkcHhtUseIEi2UKF+YG3e:gkNLGN361xBWRjtIbyKF

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2548	rundll32.exe
Token: SeSecurityPrivilege	2548	rundll32.exe
Token: SeTakeOwnershipPrivilege	2548	rundll32.exe
Token: SeLoadDriverPrivilege	2548	rundll32.exe
Token: SeSystemProfilePrivilege	2548	rundll32.exe
Token: SeSystemtimePrivilege	2548	rundll32.exe
Token: SeProfSingleProcessPrivilege	2548	rundll32.exe
Token: SeIncBasePriorityPrivilege	2548	rundll32.exe
Token: SeCreatePagefilePrivilege	2548	rundll32.exe
Token: SeShutdownPrivilege	2548	rundll32.exe
Token: SeDebugPrivilege	2548	rundll32.exe
Token: SeSystemEnvironmentPrivilege	2548	rundll32.exe
Token: SeRemoteShutdownPrivilege	2548	rundll32.exe
Token: SeUndockPrivilege	2548	rundll32.exe
Token: SeManageVolumePrivilege	2548	rundll32.exe
Token: 33	2548	rundll32.exe
Token: 34	2548	rundll32.exe
Token: 35	2548	rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 496 wrote to memory of 2548	496	rundll32.exe	30
PID 496 wrote to memory of 2548	496	rundll32.exe	30
PID 496 wrote to memory of 2548	496	rundll32.exe	30
PID 496 wrote to memory of 2548	496	rundll32.exe	30
PID 496 wrote to memory of 2548	496	rundll32.exe	30
PID 496 wrote to memory of 2548	496	rundll32.exe	30
PID 496 wrote to memory of 2548	496	rundll32.exe	30
PID 2548 wrote to memory of 1048	2548	rundll32.exe	17
PID 2548 wrote to memory of 1048	2548	rundll32.exe	17
PID 2548 wrote to memory of 1120	2548	rundll32.exe	19
PID 2548 wrote to memory of 1120	2548	rundll32.exe	19
PID 2548 wrote to memory of 1180	2548	rundll32.exe	21
PID 2548 wrote to memory of 1180	2548	rundll32.exe	21
PID 2548 wrote to memory of 804	2548	rundll32.exe	25
PID 2548 wrote to memory of 804	2548	rundll32.exe	25
PID 2548 wrote to memory of 496	2548	rundll32.exe	29
PID 2548 wrote to memory of 496	2548	rundll32.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1048

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\029e1e7cab4e787ff3685f7f07e438f3_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\029e1e7cab4e787ff3685f7f07e438f3_JaffaCakes118.dll,#1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-6-0x000000005F000000-0x000000005F001000-memory.dmp

Filesize
4KB

Download
memory/2548-3-0x0000000033000000-0x0000000033037000-memory.dmp

Filesize
220KB

Download
memory/2548-2-0x0000000033000000-0x0000000033037000-memory.dmp

Filesize
220KB

Download
memory/2548-1-0x0000000033000000-0x0000000033037000-memory.dmp

Filesize
220KB

Download
memory/2548-0-0x0000000033000000-0x0000000033037000-memory.dmp

Filesize
220KB

Download
memory/2548-4-0x0000000033034000-0x0000000033035000-memory.dmp

Filesize
4KB

Download
memory/2548-5-0x0000000033000000-0x0000000033037000-memory.dmp

Filesize
220KB

Download