Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 12:12
Static task
static1
Behavioral task
behavioral1
Sample
3485e0ac521bf858da4d8c19eb33c548_JaffaCakes118.dll
Resource
win7-20240419-en
General
-
Target
3485e0ac521bf858da4d8c19eb33c548_JaffaCakes118.dll
-
Size
986KB
-
MD5
3485e0ac521bf858da4d8c19eb33c548
-
SHA1
afad1434651161ac3d4e1c3ef169cdb6635134f7
-
SHA256
3f6bec2d9c14ebe6ddf25c6628cb39c4918acada8c37472134f45031d72221d7
-
SHA512
eafc4b171db0c06a975a4ca20a5289c6b9298b6db9ca170d4536a4034dc77074b8760c17d54da61e540bb0eb57f51839bad36294a95992ade96dac0275f45fea
-
SSDEEP
24576:0VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:0V8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1192-5-0x0000000002E60000-0x0000000002E61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpinit.exedccw.exeiexpress.exepid process 2664 rdpinit.exe 2204 dccw.exe 2768 iexpress.exe -
Loads dropped DLL 7 IoCs
Processes:
rdpinit.exedccw.exeiexpress.exepid process 1192 2664 rdpinit.exe 1192 2204 dccw.exe 1192 2768 iexpress.exe 1192 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\WjT\\dccw.exe" -
Processes:
rundll32.exerdpinit.exedccw.exeiexpress.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dccw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1192 wrote to memory of 2628 1192 rdpinit.exe PID 1192 wrote to memory of 2628 1192 rdpinit.exe PID 1192 wrote to memory of 2628 1192 rdpinit.exe PID 1192 wrote to memory of 2664 1192 rdpinit.exe PID 1192 wrote to memory of 2664 1192 rdpinit.exe PID 1192 wrote to memory of 2664 1192 rdpinit.exe PID 1192 wrote to memory of 2348 1192 dccw.exe PID 1192 wrote to memory of 2348 1192 dccw.exe PID 1192 wrote to memory of 2348 1192 dccw.exe PID 1192 wrote to memory of 2204 1192 dccw.exe PID 1192 wrote to memory of 2204 1192 dccw.exe PID 1192 wrote to memory of 2204 1192 dccw.exe PID 1192 wrote to memory of 304 1192 iexpress.exe PID 1192 wrote to memory of 304 1192 iexpress.exe PID 1192 wrote to memory of 304 1192 iexpress.exe PID 1192 wrote to memory of 2768 1192 iexpress.exe PID 1192 wrote to memory of 2768 1192 iexpress.exe PID 1192 wrote to memory of 2768 1192 iexpress.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3485e0ac521bf858da4d8c19eb33c548_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rdpinit.exeC:\Windows\system32\rdpinit.exe1⤵
-
C:\Users\Admin\AppData\Local\CLznCUIk\rdpinit.exeC:\Users\Admin\AppData\Local\CLznCUIk\rdpinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\dccw.exeC:\Windows\system32\dccw.exe1⤵
-
C:\Users\Admin\AppData\Local\wkYSPa3F\dccw.exeC:\Users\Admin\AppData\Local\wkYSPa3F\dccw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵
-
C:\Users\Admin\AppData\Local\Wsa\iexpress.exeC:\Users\Admin\AppData\Local\Wsa\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\CLznCUIk\WTSAPI32.dllFilesize
988KB
MD5087fe4ba18c1c93a94eace472ee09c2a
SHA1fc2102804f48bdde9a9c4ea864e31422c43a64f9
SHA256e818e746776949418201e32b2556dfeed69f8cefef564ba1f363db877c4d684e
SHA512f467173bde2706a9544d307f9f98185e74974cbadf7ad7d9ab7cfb5fabd6d721a8da5537ec735c7baf1aaa28b5bbf5803056a86b5e67bbc7ab5d5c985218a5c6
-
C:\Users\Admin\AppData\Local\CLznCUIk\rdpinit.exeFilesize
174KB
MD5664e12e0ea009cc98c2b578ff4983c62
SHA127b302c0108851ac6cc37e56590dd9074b09c3c9
SHA25600bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332
SHA512f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d
-
C:\Users\Admin\AppData\Local\Wsa\VERSION.dllFilesize
986KB
MD53edebe2248faecc16919b3423cffc524
SHA1daf2e5780c38f4aaaf89d717d917b124542d5b55
SHA256d739229cd554a0659212128d7e9671249809f461057ca314051fe14f3ca034ec
SHA512fc1a383f5eee9c0aa746ddd1f8f8c957b090979a37aec0df40189309c01eb80764603bb6309efcc94320fe0bd50e21fd9e8e5166daaa4f46d2d991e8b3b7ba87
-
C:\Users\Admin\AppData\Local\wkYSPa3F\mscms.dllFilesize
990KB
MD520737216decaf517148c5eeeee3dfa20
SHA1461d5b8b79ab2ca7e222884cca1b42e8b066ede1
SHA2567af483cd4a106e153ae125d5bdcd7576238a0b6408ae3c11b1854b1b1ff95fad
SHA512a852acdbf7bc98153d29b61821fc93488c1965704e5b95f5a88e229401f04d5c0b386719c2caa1f14d86b30ccd1bd70763e5cbdca26bf8399f9037b6cb595798
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnkFilesize
1KB
MD512063e19759bde42cffbc7e6a7976e5a
SHA169a1c514572b4b3758055f2abc05e07e2114a45a
SHA256e5a5fda7192e26796414e622aef2b6e70b041111256c4e1caf25b877bc4b2202
SHA5121498160d95c7e26f8cb14ed477198fee5cf3807003a04e37d2777fe289ec5ee3b1808840cb444d905a31c4c5b0f8317556bdf7b2547fc6cc6bd2c57299a85a47
-
\Users\Admin\AppData\Local\Wsa\iexpress.exeFilesize
163KB
MD546fd16f9b1924a2ea8cd5c6716cc654f
SHA199284bc91cf829e9602b4b95811c1d72977700b6
SHA2569f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3
SHA51252c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629
-
\Users\Admin\AppData\Local\wkYSPa3F\dccw.exeFilesize
861KB
MD5a46cee731351eb4146db8e8a63a5c520
SHA18ea441e4a77642e12987ac842b36034230edd731
SHA256283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5
SHA5123573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc
-
memory/1192-26-0x0000000077490000-0x0000000077492000-memory.dmpFilesize
8KB
-
memory/1192-23-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-25-0x0000000077301000-0x0000000077302000-memory.dmpFilesize
4KB
-
memory/1192-24-0x0000000002E40000-0x0000000002E47000-memory.dmpFilesize
28KB
-
memory/1192-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-37-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-35-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-4-0x00000000771F6000-0x00000000771F7000-memory.dmpFilesize
4KB
-
memory/1192-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-5-0x0000000002E60000-0x0000000002E61000-memory.dmpFilesize
4KB
-
memory/1192-73-0x00000000771F6000-0x00000000771F7000-memory.dmpFilesize
4KB
-
memory/1192-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2068-0-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2068-44-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2068-3-0x0000000000130000-0x0000000000137000-memory.dmpFilesize
28KB
-
memory/2204-74-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/2204-77-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2664-58-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2664-55-0x0000000000190000-0x0000000000197000-memory.dmpFilesize
28KB
-
memory/2664-52-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2768-89-0x0000000000290000-0x0000000000297000-memory.dmpFilesize
28KB
-
memory/2768-95-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB