acaabc6cc265bf251fb8bf23f56efdf19dcf5b5b9be1eb33038e4999068f190b

General

Target

04a819fc588ad0b00761f355cf6ac7e2_JaffaCakes118.dll
Size

236KB
MD5

04a819fc588ad0b00761f355cf6ac7e2
SHA1

22e19d372e8685ad49c16b7cc08ca7941b1b8fa7
SHA256

acaabc6cc265bf251fb8bf23f56efdf19dcf5b5b9be1eb33038e4999068f190b
SHA512

97746602f003f11b6faee6b5b4ba06e2508f8d76ae7dd09d1ee9c35ba65cc0779f70d17cf6a58c6f7ae85714f0924f1c353b778458ec54c97aa1f6b3072ce831
SSDEEP

3072:SeqmgHwlaazN9U3J+P0wFp+bLrt2wkkIe:+Qj9U3jwO3rt5N

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\saofgfvgl = "{e0a1cdd4-6829-bd7e-793a-6829455c5585}"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1036	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nvjabaqbg.dll	rundll32.exe
File created	C:\Windows\SysWOW64\fnbstsity.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\fnbstsity.dll	rundll32.exe
File created	C:\Windows\SysWOW64\nvjabaqbg.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e0a1cdd4-6829-bd7e-793a-6829455c5585}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e0a1cdd4-6829-bd7e-793a-6829455c5585}\InprocServer32\ = "C:\\Windows\\SysWow64\\nvjabaqbg.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e0a1cdd4-6829-bd7e-793a-6829455c5585}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e0a1cdd4-6829-bd7e-793a-6829455c5585}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e0a1cdd4-6829-bd7e-793a-6829455c5585}\	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1036	rundll32.exe
1036	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1036	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1036	2672	rundll32.exe	31
PID 2672 wrote to memory of 1036	2672	rundll32.exe	31
PID 2672 wrote to memory of 1036	2672	rundll32.exe	31
PID 2672 wrote to memory of 1036	2672	rundll32.exe	31
PID 2672 wrote to memory of 1036	2672	rundll32.exe	31
PID 2672 wrote to memory of 1036	2672	rundll32.exe	31
PID 2672 wrote to memory of 1036	2672	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04a819fc588ad0b00761f355cf6ac7e2_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\04a819fc588ad0b00761f355cf6ac7e2_JaffaCakes118.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\fnbstsity.dll

Filesize
625KB

MD5
95e2376b3323f062eb562b8586d0f14a

SHA1
453d4c3bf4a489433b593420a37bbffb7749875a

SHA256
bd3fa8750123d00aa0967fba44372c46ea002681da9c9b77a4f9261553e26017

SHA512
b898603d07a49237e4dfc6872d5caa7616bae1258926f10e66c4d3f0d81cccefac1e844395b65bb1f308fbc022061b52e51f60658d0a546c04b365b3428cc87d

Download Submit
memory/1036-0-0x0000000000690000-0x00000000006D4000-memory.dmp

Filesize
272KB

Download
memory/1036-1-0x0000000000691000-0x0000000000698000-memory.dmp

Filesize
28KB

Download
memory/1036-8-0x0000000000690000-0x00000000006D4000-memory.dmp

Filesize
272KB

Download
memory/1036-11-0x0000000000690000-0x00000000006D4000-memory.dmp

Filesize
272KB

Download
memory/1036-10-0x0000000000690000-0x00000000006D4000-memory.dmp

Filesize
272KB

Download
memory/1036-12-0x0000000000690000-0x00000000006D4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads