Overview

overview

8

Static

static

3

2bdf48f65b...18.dll

windows7-x64

8

2bdf48f65b...18.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    98s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 05:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2bdf48f65b718d86e9ded59a30f3eaa4_JaffaCakes118.dll

  • Size

    1.7MB

  • MD5

    2bdf48f65b718d86e9ded59a30f3eaa4

  • SHA1

    4f9be831b939d4068f5c5993725b026f03627075

  • SHA256

    f65048c3b27d95cef6fcf5d8ccf5ab820494270fde0753bc9df2744361cdc25f

  • SHA512

    796b5e0d4f7b0917c68523eda5a7db03fd2f1c55e7d19c5c137e7f7062e028f0fccedb927ad8ecffdef8ca88e3129f2ba8d42bba616d8ccd6ab0ad0a8f151d44

  • SSDEEP

    6144:GXkWpMQwzjCZl13fTS5W3tc7T1rdEjVJ3D:GXNMQ1ZDfTS5eccjVBD

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1124
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1228
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1284
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2bdf48f65b718d86e9ded59a30f3eaa4_JaffaCakes118.dll
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2420
            • C:\Windows\SysWOW64\regsvr32.exe
              /s C:\Users\Admin\AppData\Local\Temp\2bdf48f65b718d86e9ded59a30f3eaa4_JaffaCakes118.dll
              3⤵
              • Adds Run key to start application
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2124
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\System32\rundll32.exe" C:\PROGRA~3\com32rimni.dat,StartAs
                4⤵
                • Blocklisted process makes network request
                • Deletes itself
                • Loads dropped DLL
                • Adds Run key to start application
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer Protected Mode
                • Modifies Internet Explorer Protected Mode Banner
                • Modifies Internet Explorer settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2856

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\PROGRA~3\com32rimni.dat
                Filesize

                3.6MB

                MD5

                dac75c76aa0c681165babe8a7f76a161

                SHA1

                2cf0131f55b02b13781449c4bb5e2f7805f6a913

                SHA256

                8fc40f41a23a3d7af3c6cb72a920a4b77671b3dc0cdaa0bf056bce5d79a90916

                SHA512

                06abe1a5e6b2f0667f197ed23484a61e448abdee5eba6038e2f8919916d9d3d96b11738a6ae76d7e71788d0044d1c6f0f2627d12d68ab2cd2a5706f66fc4cf06

                Download Submit

              • memory/1284-14-0x0000000002040000-0x0000000002041000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2124-0-0x0000000000630000-0x0000000000697000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2124-1-0x0000000000631000-0x0000000000652000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2124-2-0x0000000000630000-0x0000000000697000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2124-3-0x0000000000630000-0x0000000000697000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2124-18-0x0000000000630000-0x0000000000697000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2124-17-0x0000000000631000-0x0000000000652000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2856-21-0x0000000000200000-0x0000000000267000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2856-22-0x0000000000201000-0x0000000000222000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2856-23-0x0000000000200000-0x0000000000267000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2856-51-0x0000000000200000-0x0000000000267000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2856-53-0x0000000000200000-0x0000000000267000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2856-134-0x0000000000200000-0x0000000000267000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2856-148-0x0000000000200000-0x0000000000267000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2856-162-0x0000000000200000-0x0000000000267000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2856-176-0x0000000000200000-0x0000000000267000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2856-189-0x0000000000200000-0x0000000000267000-memory.dmp

                Filesize

                412KB

                Download