Overview

overview

8

Static

static

3

03df5f9813...18.dll

windows7-x64

03df5f9813...18.dll

windows10-2004-x64

Analysis

  • max time kernel
    135s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 01:19

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    03df5f9813d3c7d25e907b9013398226_JaffaCakes118.dll

  • Size

    147KB

  • MD5

    03df5f9813d3c7d25e907b9013398226

  • SHA1

    7c4a46e0dcd2b3ab490bf332a2310790abab58ee

  • SHA256

    07ba94c335f0c08143c1799eea9ea14371cdeed91181e8a733a704c22d3bd45b

  • SHA512

    4803a3fa54a9e92f6180bed07f507241b10a15376145dcf8c00238c34e6a25e9ae82da7ee287e4cce903a856a1bafd0e20d67bf941980fb6062d906f444356a0

  • SSDEEP

    3072:w0KoPm3fslD98wpKV7Iv5X3DqqBZ9zVWsqA4EKzWKRefU4LrTmL:Z+PslD98w8tIOUgWBUOi

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\03df5f9813d3c7d25e907b9013398226_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\03df5f9813d3c7d25e907b9013398226_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\PROGRA~3\e6jj0qdo.plz,GL300
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Windows\SysWOW64\regedit.exe
          C:\Windows\regedit.exe -s C:\PROGRA~3\odq0jj6e.reg
          4⤵
          • Server Software Component: Terminal Services DLL
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:4680
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4340,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=1904 /prefetch:8
    1⤵
      PID:3836
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa3966055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4648

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\PROGRA~3\e6jj0qdo.plz
            Filesize

            147KB

            MD5

            03df5f9813d3c7d25e907b9013398226

            SHA1

            7c4a46e0dcd2b3ab490bf332a2310790abab58ee

            SHA256

            07ba94c335f0c08143c1799eea9ea14371cdeed91181e8a733a704c22d3bd45b

            SHA512

            4803a3fa54a9e92f6180bed07f507241b10a15376145dcf8c00238c34e6a25e9ae82da7ee287e4cce903a856a1bafd0e20d67bf941980fb6062d906f444356a0

            Download Submit

          • C:\ProgramData\odq0jj6e.reg
            Filesize

            285B

            MD5

            cd937f519bc4ddcab5838c1b2422575a

            SHA1

            940aac4b1776aa9d84c420a813891a571d00d46e

            SHA256

            d2cd06f9f6f623d2665c604c09d6d30713572430df7cab6e1152aa547f9e0368

            SHA512

            dbb992fb73347bdd8f83aa4eca8174d79cb565cf0ffd66c7071c2c6d447573430320bbf8570cbd85450f50b3f7f1bec4916571df516246a41cc20e24518d6310

            Download Submit

          • memory/2704-2-0x0000000074B50000-0x0000000074B7B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/2704-3-0x0000000074B51000-0x0000000074B6F000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2704-0-0x00000000012A0000-0x00000000012A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3960-28-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-44-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-17-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-19-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-8-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-7-0x0000000001020000-0x0000000001021000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3960-36-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-10-0x0000000074B11000-0x0000000074B2F000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3960-52-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-59-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-67-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-74-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-82-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-89-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download

          • memory/3960-92-0x0000000074B10000-0x0000000074B3B000-memory.dmp

            Filesize

            172KB

            Download