e576411e26bc09f2b6a296855c8e68002b086c67fd70ac1716eeb648c346ba87

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 10:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

56e31eed8bb950f4a7d3b7510feea597_JaffaCakes118.dll
Size

78KB
MD5

56e31eed8bb950f4a7d3b7510feea597
SHA1

be40dff65908cf6b8500955053c48eceb9bda186
SHA256

e576411e26bc09f2b6a296855c8e68002b086c67fd70ac1716eeb648c346ba87
SHA512

b7b559ed9841f9900d95b7bce5a2c69a9a89c76caa984236dde6c0b71ed60c28c8c9b8abd83202c38faea4600e089093449e1501595ce5bdfa998da3abca1b5a
SSDEEP

1536:LaejhwzMyaS47KZNw0KHxRiP1zAxfc/3ieW9qW/8PRgHFBn/:t+BaS47KZtP1zAxixW+yn/

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
5	2264	rundll32.exe
6	2264	rundll32.exe
9	2264	rundll32.exe
10	2264	rundll32.exe
12	2264	rundll32.exe
14	2264	rundll32.exe
15	2264	rundll32.exe
16	2264	rundll32.exe
18	2264	rundll32.exe
19	2264	rundll32.exe
21	2264	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2264	2236	rundll32.exe	29
PID 2236 wrote to memory of 2264	2236	rundll32.exe	29
PID 2236 wrote to memory of 2264	2236	rundll32.exe	29
PID 2236 wrote to memory of 2264	2236	rundll32.exe	29
PID 2236 wrote to memory of 2264	2236	rundll32.exe	29
PID 2236 wrote to memory of 2264	2236	rundll32.exe	29
PID 2236 wrote to memory of 2264	2236	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\56e31eed8bb950f4a7d3b7510feea597_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\56e31eed8bb950f4a7d3b7510feea597_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2264-0-0x00000000001A0000-0x00000000001B3000-memory.dmp

Filesize
76KB

Download
memory/2264-4-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2264-3-0x00000000001A0000-0x00000000001B3000-memory.dmp

Filesize
76KB

Download
memory/2264-1-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2264-2-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2264-5-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2264-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2264-8-0x00000000001A0000-0x00000000001B3000-memory.dmp

Filesize
76KB

Download
memory/2264-9-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download