Overview

overview

8

Static

static

3

41b15bcd31...18.dll

windows7-x64

8

41b15bcd31...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    93s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 19:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    41b15bcd31a421132f838608924dac04_JaffaCakes118.dll

  • Size

    159KB

  • MD5

    41b15bcd31a421132f838608924dac04

  • SHA1

    68452f45e04725d180c1c5bd1eab3e0d259a2f29

  • SHA256

    1caf1fb4e5e27c69f33371f042d84b32978193c5c9cbc4f4c666cf601773a604

  • SHA512

    caed994747380ddaf7b9dd2a71e16e5723237352901faa56d3fabc3d0dfb9f7080e2d70498e1805ebb3707966d6139c7c1b4b43e1c4610df0d31013768628f16

  • SSDEEP

    3072:1H8dK6lMb3mDTNmY2z9XHvv08o2HOTEDzGNZc0XXqC8ymj:1ck6ylHHvA2HOTGzGbc0KC8

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
      PID:788
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\41b15bcd31a421132f838608924dac04_JaffaCakes118.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\41b15bcd31a421132f838608924dac04_JaffaCakes118.dll,#1
        2⤵
        • Server Software Component: Terminal Services DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4316
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c net start COMSysApp
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3120
          • C:\Windows\SysWOW64\net.exe
            net start COMSysApp
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1372
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start COMSysApp
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1712
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c net start SENS
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4020
          • C:\Windows\SysWOW64\net.exe
            net start SENS
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start SENS
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2880
    • C:\Windows\system32\dllhost.exe
      C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
      1⤵
      • Drops file in Windows directory
      PID:4980
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
      1⤵
        PID:3812

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\PROGRA~3\fildll64mnj.dat
              Filesize

              1.2MB

              MD5

              2b048d48392cabd4cef51039e1bb3033

              SHA1

              49ae7fc069cc27b91338d862792495bf6b9834bf

              SHA256

              4c4c06c189a316e03636745bc304ddb2b0b3a8fe9cf8ec47cdd7b0a7ff193cb2

              SHA512

              5ae2bd8e7d66ed8ac1473ea61b21b7fcc64dea2245eec176e870973744d4fbae3e82bbec10d19e64f232914bb1662a4d483df57b5ebeb013554224a955ffee6e

              Download Submit

            • memory/4316-0-0x0000000000780000-0x00000000007AF000-memory.dmp

              Filesize

              188KB

              Download