e1e590b4b7412dedaaa0ee98b22436f45b8cf3de6341655fcf36857701e6bcc8

Analysis

max time kernel
139s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53bef9ad0b10e6514966aff4a451b382_JaffaCakes118.dll
Size

144KB
MD5

53bef9ad0b10e6514966aff4a451b382
SHA1

629b9a78068c3151d024714d02580a92a532af28
SHA256

e1e590b4b7412dedaaa0ee98b22436f45b8cf3de6341655fcf36857701e6bcc8
SHA512

d5109ed81ac890415e4887c070633cc785d36a1ce5c493dab5cb15ed9f543af3ea16649bbad550524426c5bd23782e071f7e78ae0a1f222897c159eb0d1e73c4
SSDEEP

3072:cb2SRia1eQDUl7y1+OZLNSYzIuXVu3bCR50bcwmL46L+:cbtRiWwl7yjZLNSHCXSdh

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\Shell\Open	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\ = "Internet Explorer"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\{305ca226-d286-468e-b848-2b2e8e697b74} 2 = "0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\ShellFolder	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\InProcServer32\ = "shdocvw.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\Shell	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\Shell\Open\Command	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\DefaultIcon\InProcServer32	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\ShellFolder\Attributes = 00000000	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\InProcServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D98B4E1-3403-4EFE-9E52-8A639DFBB0C6}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe Http://www.xihao.net/"	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3988	1492	rundll32.exe	84
PID 1492 wrote to memory of 3988	1492	rundll32.exe	84
PID 1492 wrote to memory of 3988	1492	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\53bef9ad0b10e6514966aff4a451b382_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\53bef9ad0b10e6514966aff4a451b382_JaffaCakes118.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads