6a3769b25b77ad2d587ce5c7a2fdd689b200b83b1121e42daa5eafd89453d361

Analysis

max time kernel
127s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90e6856c7ebc92ffe04f96c82f3d5e46_JaffaCakes118.dll
Size

384KB
MD5

90e6856c7ebc92ffe04f96c82f3d5e46
SHA1

fb2d9d951dec500c61a21fc134038478a9c58030
SHA256

6a3769b25b77ad2d587ce5c7a2fdd689b200b83b1121e42daa5eafd89453d361
SHA512

4e04da4611fccbbe810ada5221e0699f24487817d7a44b4eed92e12fe0a4cec8edc43e54467eb2a6097fea402f15db91ca4694e906f9f92a523e2fdb6f84fc09
SSDEEP

6144:7YoYyqA8M7NFN9vB76uo0ar7G7FwgNJb/Icl5LmBvxT6DkxyAEUy7DTkkz8FAcce:R4Ad3NtB76uoSZbNek5LmBZTVy7DTWFi

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4468	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4468	rundll32.exe
4468	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 4468	1276	rundll32.exe	83
PID 1276 wrote to memory of 4468	1276	rundll32.exe	83
PID 1276 wrote to memory of 4468	1276	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e6856c7ebc92ffe04f96c82f3d5e46_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e6856c7ebc92ffe04f96c82f3d5e46_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8218.tmp

Filesize
60KB

MD5
174d921f1387b534ee96dc294b79fb3f

SHA1
7dad0fd02fa624373fc411c541d9391275c6dba3

SHA256
dc7f1117328a8d68d3904daad34bcbb9675177ba1a507f0da13436874f881324

SHA512
35724d8a4c458854d1cd7ca773abaea2b548aea2cb8b345e1b2eae86fc178b2c17c52e0f4f173fa2419b31337a2e6f090195f23d9587c5dfd1851c7c556d0b4d

Download Submit
memory/4468-0-0x0000000002980000-0x00000000029E4000-memory.dmp

Filesize
400KB

Download