b42aa3dab8651f367a299dcb3255a64443fc852727a070d4ca65a681cd1776c3

Analysis

max time kernel
125s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 15:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

065296099899a74f3ce89965c0207a98_JaffaCakes118.dll
Size

236KB
MD5

065296099899a74f3ce89965c0207a98
SHA1

fc4c9a68018297284f022d00b7076dbac92d356a
SHA256

b42aa3dab8651f367a299dcb3255a64443fc852727a070d4ca65a681cd1776c3
SHA512

829e5be96c434faa91889b08f94196302f1cc2605a2e6c9ab808e85cca1aa6c2bb81b6ab555608ce1462afbac1b016e6dc623352653acea4a2aa72c5b90a14e1
SSDEEP

3072:SeqmgHwlaazN9U3J+P0wFp+bLrt2wkkIK:+Qj9U3jwO3rt5V

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wghyt = "{2c14fbf7-a49c-f9e1-b5ad-a49c737f58af}"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
5084	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jtulg.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\jtulg.dll	rundll32.exe
File created	C:\Windows\SysWOW64\rbcto.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rbcto.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2c14fbf7-a49c-f9e1-b5ad-a49c737f58af}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2c14fbf7-a49c-f9e1-b5ad-a49c737f58af}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2c14fbf7-a49c-f9e1-b5ad-a49c737f58af}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2c14fbf7-a49c-f9e1-b5ad-a49c737f58af}\InprocServer32\ = "C:\\Windows\\SysWow64\\rbcto.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2c14fbf7-a49c-f9e1-b5ad-a49c737f58af}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5084	rundll32.exe
5084	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5084	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 5084	3208	rundll32.exe	89
PID 3208 wrote to memory of 5084	3208	rundll32.exe	89
PID 3208 wrote to memory of 5084	3208	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\065296099899a74f3ce89965c0207a98_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\065296099899a74f3ce89965c0207a98_JaffaCakes118.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\jtulg.dll

Filesize
478KB

MD5
e99416267b61f52fa5ab994019efd359

SHA1
86d31eae707db7fe51d2556394fcf0e8e9f6b0fd

SHA256
768c286674371564b5e6095edb56e0a4231f341be895da69cfccca5160029774

SHA512
0a1c7579a9c787c2c1bef35f0660e72e74b42824e14ebea63b87ed25ddaf107e3746567bb431cab41a2f6719fad2c22d96e0715a1fe085d75805d7d66f7f05ae

Download Submit
memory/5084-0-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/5084-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5084-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5084-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download