623d5cc3bce00dae7d418df7e0aae677c4559d4c319aa9b6835f2963a58912a4

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2024, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0705c0d813c8ff7fabb4cb307559a24_JaffaCakes118.dll
Size

27KB
MD5

e0705c0d813c8ff7fabb4cb307559a24
SHA1

abf37ed461f76f4b1681f5e230adfbbc0e9a5028
SHA256

623d5cc3bce00dae7d418df7e0aae677c4559d4c319aa9b6835f2963a58912a4
SHA512

7cc9d82e7e33040262607f446729b7895077c3eef6c4390f3ebf26a3558aa9105304dd7b85fda73335fd4e06fa644aea2d13e969cd152c388b78f6214007b267
SSDEEP

384:2AAHxUSCqujwHKnGQmQwt83EEPT9/qgfi1vOpBlbQtylykECkfm6TJqCAzK9Enmv:YKSCquMH0GQUs9/Hq5OpBlkoPpm

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	2412	rundll32.exe
8	2412	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2412	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urls.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\urls.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2412	4468	rundll32.exe	83
PID 4468 wrote to memory of 2412	4468	rundll32.exe	83
PID 4468 wrote to memory of 2412	4468	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0705c0d813c8ff7fabb4cb307559a24_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0705c0d813c8ff7fabb4cb307559a24_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urls.dll

Filesize
1.6MB

MD5
e0e12856ca90be7f5ab8dfc0f0313078

SHA1
cc5accf48b8e6c2fd39d1f800229cdbb54305518

SHA256
81ec3e3c98e5f0af0dca21b9f08f2be445b46df2ca2354eaf3523bddcb125619

SHA512
162c56367dca2291117f2391951970273969518b0db2bbc5d51c458173a8028c88d9dfd93aef01ed05b369f953e2953cc6be252daeb17556dbc33e5383900fa6

Download Submit