a63f50a6f78f83547069f091567fa5ad3710a337107a1eefe303b57f92efe658

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 22:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26498b0e69ef84f3aecc093d17f9990f_JaffaCakes118.exe
Size

148KB
MD5

26498b0e69ef84f3aecc093d17f9990f
SHA1

b416b911a1a97693c5148f0e26e04de970232e80
SHA256

a63f50a6f78f83547069f091567fa5ad3710a337107a1eefe303b57f92efe658
SHA512

c5f1566d46bfd0265614a4bc598dde936f32933df63b114e751890ed3dfe96bfd546c77f8dfa200c56f08a18524c1c9df832c781a8fc196e52d9bb1abcf98936
SSDEEP

3072:YV/NXp05MPtufccb6fK6oFQPJ05MPtufccb6fK6oFQP+m:Q1XQQukG6fV+QukG6fVJ

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CylinderLinker\Parameters\ServiceDll = "C:\\Program Files\\CylinderLinker\\w14x.dll"	26498b0e69ef84f3aecc093d17f9990f_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
1020	rundll32.exe
3840	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\CylinderLinker\w14x.dll	26498b0e69ef84f3aecc093d17f9990f_JaffaCakes118.exe
File opened for modification	C:\Program Files\CylinderLinker\w14x.dll	26498b0e69ef84f3aecc093d17f9990f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26498b0e69ef84f3aecc093d17f9990f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe
1020	rundll32.exe
1020	rundll32.exe
3840	svchost.exe
3840	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1020	1960	26498b0e69ef84f3aecc093d17f9990f_JaffaCakes118.exe	86
PID 1960 wrote to memory of 1020	1960	26498b0e69ef84f3aecc093d17f9990f_JaffaCakes118.exe	86
PID 1960 wrote to memory of 1020	1960	26498b0e69ef84f3aecc093d17f9990f_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\26498b0e69ef84f3aecc093d17f9990f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26498b0e69ef84f3aecc093d17f9990f_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\CylinderLinker\w14x.dll" CylinderLinker
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240620515_res.txt

Filesize
12.1MB

MD5
5fd5160ac92039b19f733c69aa6378cc

SHA1
23ce41651dde1d515275f956f38eea66f300691e

SHA256
a2856688491767e308dd637e1397ca158484dc27e7a8694082efb0679ff5b1ec

SHA512
c7807c8f16d4b9226eec9b2ea008cb56775b280ae96e7c630487d7afe4c2d432e0d72fd9df8f959a4c320a700c9e3411d17fdbc0a187f49e687092c44d52938d

Download Submit
memory/1020-8-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1020-11-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1960-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1960-10-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3840-12-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download