ecdb4e016d6c1514dc16b511284e76c7214c085c5bbe106732ca731c63faf89a

Analysis

max time kernel
97s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eccf09e6e0a75fcfb2cefdcab75cc36_JaffaCakes118.dll
Size

20KB
MD5

0eccf09e6e0a75fcfb2cefdcab75cc36
SHA1

804d7956f591ab44decda5fdcdb64ada4c717ead
SHA256

ecdb4e016d6c1514dc16b511284e76c7214c085c5bbe106732ca731c63faf89a
SHA512

ba1029466db1f5c07ae000f75e24445efe2d3ba751b320315bf4e6b3600da9204ebe1a04acb953f8b6662a242e015b3125b08704dbc0650bba9cfd0be4f0311b
SSDEEP

384:zSG/2Jp+C6QhtmruxCcdIL+0XplLCAu8UaWHuqaTlX0wG:zfYh2oCtpXPLx2OqaewG

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2232	rundll32.exe
2232	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2232	4612	rundll32.exe	82
PID 4612 wrote to memory of 2232	4612	rundll32.exe	82
PID 4612 wrote to memory of 2232	4612	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0eccf09e6e0a75fcfb2cefdcab75cc36_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0eccf09e6e0a75fcfb2cefdcab75cc36_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84C0.tmp

Filesize
20KB

MD5
fda0880126712920e9daa7a54ba89bd8

SHA1
19a0d89fadc2f0ba705ee4b3edd7caa7d9a64ecb

SHA256
c59c4e53fe8a1e9f71af52b17ce99d54ac0d9a7ec35915f24a8318d1287e70c6

SHA512
307bda5872496f5f7f885facc3283b0f0424fe64c90a216e47b679ea91804ddc48cad2c701c81f7a5c5a00240fabff910bf2928e6d616c882b43a788a3a14a3c

Download Submit
memory/2232-8-0x0000000001250000-0x000000000125C000-memory.dmp

Filesize
48KB

Download