Overview

overview

8

Static

static

3

0d020d09ac...18.dll

windows7-x64

8

0d020d09ac...18.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 00:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d020d09acd437b8e1c20dca59c0f3a6_JaffaCakes118.dll

  • Size

    2.7MB

  • MD5

    0d020d09acd437b8e1c20dca59c0f3a6

  • SHA1

    16474c3ddcd6952e264ae1a6c7289593a173a3fb

  • SHA256

    5d9cd41307ef1bca484ac14ea8849f93f735ff5d04de40ef3f753d704abbb24b

  • SHA512

    91a715168414dca2b187148004f1b7ceea4d0d65ae4b5d130d03d9c470fe971f2da62abc25818d1530f52019694cf550bb1cd89a31a72d34640bffa438bfb904

  • SSDEEP

    3072:axOUTXIspizAnu4OROGvwB16YYPEzTJu1LqB+:axOUTXIsbHGvwBwZczuLi+

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3456
      • C:\Windows\system32\regsvr32.exe
        regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0d020d09acd437b8e1c20dca59c0f3a6_JaffaCakes118.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\SysWOW64\regsvr32.exe
          /s C:\Users\Admin\AppData\Local\Temp\0d020d09acd437b8e1c20dca59c0f3a6_JaffaCakes118.dll
          3⤵
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~3\temjeloto.dat
      Filesize

      3.4MB

      MD5

      f50933b89c72d9a30bdbe44665871262

      SHA1

      e79f51256a1cfbf298ac34efc75445f0e86c2b12

      SHA256

      7bb504f1953470ff4f61d64a8ee211eff59b0dc4e509d49f5db84cda6078bc5f

      SHA512

      e188d0abdbc433ea0e3a5ea80221092ac1cd28834f03a60e6e04f829901ac000efc4661a925c0d3f092fbf6ed5a19da3a580badd0e5c540cb2a5d13ab442de69

      Download Submit

    • memory/4580-0-0x0000000000401000-0x0000000000421000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4580-1-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/4580-3-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/4580-2-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/4580-14-0x0000000000401000-0x0000000000421000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4580-15-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download