Overview

overview

8

Static

static

3

083568d535...18.dll

windows7-x64

8

083568d535...18.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    083568d535ca89b9c978b02c1cadb0ce_JaffaCakes118.dll

  • Size

    2.7MB

  • MD5

    083568d535ca89b9c978b02c1cadb0ce

  • SHA1

    2b06d2af4b658b13a721f23daf0ec9fe1c4bd6fa

  • SHA256

    60eaa44d8cf4a907c6afe5c32872ed04baf80b90a8e5ad017a7b1a6e89fa84f1

  • SHA512

    cc89560fef9ac7d25e983e44539ab538ee99d5f4fb2245b948869b692e2b5f47b7efc37a9c3aebaebe86e23d0dadb85be4a0a852dd2ba70aca915323372bf8a0

  • SSDEEP

    3072:axOUTXIspizAnu4OROGvwB16YYPEzTJu1Lqc:axOUTXIsbHGvwBwZczuLH

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Blocklisted process makes network request 10 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1120
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1176
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1208
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s C:\Users\Admin\AppData\Local\Temp\083568d535ca89b9c978b02c1cadb0ce_JaffaCakes118.dll
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1292
            • C:\Windows\SysWOW64\regsvr32.exe
              /s C:\Users\Admin\AppData\Local\Temp\083568d535ca89b9c978b02c1cadb0ce_JaffaCakes118.dll
              3⤵
              • Adds Run key to start application
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2428
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\System32\rundll32.exe" C:\PROGRA~3\32lonasohum.dat,StartAs
                4⤵
                • Blocklisted process makes network request
                • Deletes itself
                • Loads dropped DLL
                • Adds Run key to start application
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer Protected Mode
                • Modifies Internet Explorer Protected Mode Banner
                • Modifies Internet Explorer settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2256

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~3\32lonasohum.dat
          Filesize

          3.8MB

          MD5

          1586fc5e27dc9dc13be3ce5fa0081ab4

          SHA1

          d3fe1f3fde43de7bba478cf855b80c8d64187af2

          SHA256

          d22df4a4562c69c054a13c952f4be4ece87dc238d8e8b3b2db8dddc9b0ce7b6c

          SHA512

          76315e39d7abafdbc30096e99f97cff1a4970d5f0342256c47cb172be24eee21ce4db91289629e2578a2eeb306a1728c257d2b324246b31a6a2b1ca0288cc848

          Download Submit

        • memory/1208-15-0x0000000002970000-0x0000000002971000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2256-24-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-138-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-196-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-186-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-173-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-151-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-127-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-21-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-116-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-23-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-22-0x00000000002A1000-0x00000000002C1000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2256-47-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-94-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2256-106-0x00000000002A0000-0x000000000030D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2428-0-0x0000000000160000-0x00000000001CD000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2428-17-0x0000000000160000-0x00000000001CD000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2428-4-0x0000000000160000-0x00000000001CD000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2428-18-0x0000000000161000-0x0000000000181000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2428-1-0x0000000000161000-0x0000000000181000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2428-2-0x0000000000160000-0x00000000001CD000-memory.dmp

          Filesize

          436KB

          Download

        • memory/2428-3-0x0000000000160000-0x00000000001CD000-memory.dmp

          Filesize

          436KB

          Download