Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 12:12
Static task
static1
Behavioral task
behavioral1
Sample
3485e0ac521bf858da4d8c19eb33c548_JaffaCakes118.dll
Resource
win7-20240419-en
General
-
Target
3485e0ac521bf858da4d8c19eb33c548_JaffaCakes118.dll
-
Size
986KB
-
MD5
3485e0ac521bf858da4d8c19eb33c548
-
SHA1
afad1434651161ac3d4e1c3ef169cdb6635134f7
-
SHA256
3f6bec2d9c14ebe6ddf25c6628cb39c4918acada8c37472134f45031d72221d7
-
SHA512
eafc4b171db0c06a975a4ca20a5289c6b9298b6db9ca170d4536a4034dc77074b8760c17d54da61e540bb0eb57f51839bad36294a95992ade96dac0275f45fea
-
SSDEEP
24576:0VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:0V8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3380-4-0x00000000030D0000-0x00000000030D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
EhStorAuthn.exeisoburn.exeie4ushowIE.exepid process 1720 EhStorAuthn.exe 4044 isoburn.exe 1920 ie4ushowIE.exe -
Loads dropped DLL 3 IoCs
Processes:
EhStorAuthn.exeisoburn.exeie4ushowIE.exepid process 1720 EhStorAuthn.exe 4044 isoburn.exe 1920 ie4ushowIE.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\V8K8LK~1\\isoburn.exe" -
Processes:
ie4ushowIE.exerundll32.exeEhStorAuthn.exeisoburn.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ie4ushowIE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2116 rundll32.exe 2116 rundll32.exe 2116 rundll32.exe 2116 rundll32.exe 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3380 wrote to memory of 3100 3380 EhStorAuthn.exe PID 3380 wrote to memory of 3100 3380 EhStorAuthn.exe PID 3380 wrote to memory of 1720 3380 EhStorAuthn.exe PID 3380 wrote to memory of 1720 3380 EhStorAuthn.exe PID 3380 wrote to memory of 3464 3380 isoburn.exe PID 3380 wrote to memory of 3464 3380 isoburn.exe PID 3380 wrote to memory of 4044 3380 isoburn.exe PID 3380 wrote to memory of 4044 3380 isoburn.exe PID 3380 wrote to memory of 1044 3380 ie4ushowIE.exe PID 3380 wrote to memory of 1044 3380 ie4ushowIE.exe PID 3380 wrote to memory of 1920 3380 ie4ushowIE.exe PID 3380 wrote to memory of 1920 3380 ie4ushowIE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3485e0ac521bf858da4d8c19eb33c548_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵
-
C:\Users\Admin\AppData\Local\Ybik\EhStorAuthn.exeC:\Users\Admin\AppData\Local\Ybik\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵
-
C:\Users\Admin\AppData\Local\QXCmEvF\isoburn.exeC:\Users\Admin\AppData\Local\QXCmEvF\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\ie4ushowIE.exeC:\Windows\system32\ie4ushowIE.exe1⤵
-
C:\Users\Admin\AppData\Local\8Z8\ie4ushowIE.exeC:\Users\Admin\AppData\Local\8Z8\ie4ushowIE.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\8Z8\VERSION.dllFilesize
987KB
MD529cf5bfbe522019406de2ae750c9a8cd
SHA143532e2d04e60854e937f20872852f37c832876e
SHA25686baf3eb34ae72a1c0f4a7633dffb11ec9737ec0fd1484ef284c5138ec55a066
SHA512d4374869479d250bf53983e3a23ae7529ab27db0e42643f097036633c6beaf0927594cf4c9c33ca052533cfa05a575d6db514067786511acd190b096fb6c1be7
-
C:\Users\Admin\AppData\Local\8Z8\ie4ushowIE.exeFilesize
76KB
MD59de952f476abab0cd62bfd81e20a3deb
SHA1109cc4467b78dad4b12a3225020ea590bccee3e6
SHA256e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b
SHA5123cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9
-
C:\Users\Admin\AppData\Local\QXCmEvF\UxTheme.dllFilesize
989KB
MD5446f16f53efa632cd6b0e74df204a3bf
SHA1e4244e557d81ecea70fad0cd45fb1928ebe57594
SHA2560beafe9302cf5e818b4b26a953ea2ab4bfcf35c7d63914503dab86997e84b255
SHA512e56b239b4c279883e7d9be1d09db7389b30b3c58527362f9f0d09fe05c4cd4cae358dea9f3ddd6c54fde35ad738664cd971570f69aa43222872f406ced5f569c
-
C:\Users\Admin\AppData\Local\QXCmEvF\isoburn.exeFilesize
119KB
MD568078583d028a4873399ae7f25f64bad
SHA1a3c928fe57856a10aed7fee17670627fe663e6fe
SHA2569478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567
SHA51225503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1
-
C:\Users\Admin\AppData\Local\Ybik\EhStorAuthn.exeFilesize
128KB
MD5d45618e58303edb4268a6cca5ec99ecc
SHA11f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA5125d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd
-
C:\Users\Admin\AppData\Local\Ybik\UxTheme.dllFilesize
989KB
MD59a0959526d92504f74bc81395c933825
SHA1190d72f5febe15c028a680a819eda1a78fc7b7bc
SHA256545f16171c2ab8215dec3ac3cbd4d3615dc499a0546878e6dcdad94bbab421aa
SHA512c179e266af2a2457c9b372a1425e1138c4cc92d4355c92a49d325344d14fc72419c21c7dcfc90e4ef396daf8a3eb367f32452ba71e125a098154e69c14b3f2a4
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnkFilesize
1KB
MD5ca1da249d32201534127e8e4ea8a00ee
SHA16c5291f13f7796b7f7e58d11146c00439021ef06
SHA25634cd45f0190992dfbffde08fc01b7a409b25facfae014532629557ddd0e0c857
SHA512249476e4ee79fe0e084e2f38bc21dab585972651007b1c9ed2170a8bd2770d893085a8cefbfd218371e60bcdffb5a77a12d2f5a8b25e91d3c925807c33ea1a5f
-
memory/1720-50-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/1720-44-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/1720-47-0x0000024F75030000-0x0000024F75037000-memory.dmpFilesize
28KB
-
memory/1920-78-0x0000027963370000-0x0000027963377000-memory.dmpFilesize
28KB
-
memory/1920-84-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2116-0-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2116-3-0x0000013B688E0000-0x0000013B688E7000-memory.dmpFilesize
28KB
-
memory/2116-37-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3380-23-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3380-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3380-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3380-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3380-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3380-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3380-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3380-34-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3380-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3380-4-0x00000000030D0000-0x00000000030D1000-memory.dmpFilesize
4KB
-
memory/3380-6-0x00007FFCAB50A000-0x00007FFCAB50B000-memory.dmpFilesize
4KB
-
memory/3380-25-0x00007FFCACD90000-0x00007FFCACDA0000-memory.dmpFilesize
64KB
-
memory/3380-24-0x0000000002EB0000-0x0000000002EB7000-memory.dmpFilesize
28KB
-
memory/3380-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/4044-67-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/4044-61-0x0000018E8A600000-0x0000018E8A607000-memory.dmpFilesize
28KB