Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
3c561335b84b1b6ec405b90307df1495_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
3c561335b84b1b6ec405b90307df1495_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
3c561335b84b1b6ec405b90307df1495
-
SHA1
96c6d79ab3982f5598a8883a46d3605f79bdcc2f
-
SHA256
04cf75d0e0684e29799390a40209ee9a357fcd561af47662b26dee8954a31bcb
-
SHA512
9424214f2ae46ae5e5b99f728872ac203554b1004c1aa2f4664cc36cb7f521b953a96783e86e243d4bae42f1099e5669858557568e0c980366d5231fa4fd0793
-
SSDEEP
24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3376-4-0x00000000089E0000-0x00000000089E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesRemote.exeInfDefaultInstall.exesppsvc.exepid process 4340 SystemPropertiesRemote.exe 4708 InfDefaultInstall.exe 4320 sppsvc.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemPropertiesRemote.exeInfDefaultInstall.exesppsvc.exepid process 4340 SystemPropertiesRemote.exe 4708 InfDefaultInstall.exe 4320 sppsvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihmks = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\GAUYNS~1\\INFDEF~1.EXE" -
Processes:
sppsvc.exerundll32.exeSystemPropertiesRemote.exeInfDefaultInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesRemote.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InfDefaultInstall.exe -
Modifies registry class 1 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4252 rundll32.exe 4252 rundll32.exe 4252 rundll32.exe 4252 rundll32.exe 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3376 Token: SeCreatePagefilePrivilege 3376 Token: SeShutdownPrivilege 3376 Token: SeCreatePagefilePrivilege 3376 Token: SeShutdownPrivilege 3376 Token: SeCreatePagefilePrivilege 3376 Token: SeShutdownPrivilege 3376 Token: SeCreatePagefilePrivilege 3376 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3376 3376 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3376 -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
description pid process target process PID 3376 wrote to memory of 4840 3376 SystemPropertiesRemote.exe PID 3376 wrote to memory of 4840 3376 SystemPropertiesRemote.exe PID 3376 wrote to memory of 4340 3376 SystemPropertiesRemote.exe PID 3376 wrote to memory of 4340 3376 SystemPropertiesRemote.exe PID 3376 wrote to memory of 3924 3376 InfDefaultInstall.exe PID 3376 wrote to memory of 3924 3376 InfDefaultInstall.exe PID 3376 wrote to memory of 4708 3376 InfDefaultInstall.exe PID 3376 wrote to memory of 4708 3376 InfDefaultInstall.exe PID 3376 wrote to memory of 4320 3376 sppsvc.exe PID 3376 wrote to memory of 4320 3376 sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c561335b84b1b6ec405b90307df1495_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\SystemPropertiesRemote.exeC:\Windows\system32\SystemPropertiesRemote.exe1⤵
-
C:\Users\Admin\AppData\Local\s3Qjs\SystemPropertiesRemote.exeC:\Users\Admin\AppData\Local\s3Qjs\SystemPropertiesRemote.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\InfDefaultInstall.exeC:\Windows\system32\InfDefaultInstall.exe1⤵
-
C:\Users\Admin\AppData\Local\I0jWI\InfDefaultInstall.exeC:\Users\Admin\AppData\Local\I0jWI\InfDefaultInstall.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵
-
C:\Users\Admin\AppData\Local\DMn2PXfl7\sppsvc.exeC:\Users\Admin\AppData\Local\DMn2PXfl7\sppsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\DMn2PXfl7\XmlLite.dllFilesize
1.2MB
MD5bab8f1fbad38a9daf96d57b19dd2f501
SHA1b04539e1834c7c82a16e76d81803985562ec2dae
SHA256e9d18ed06a171de117b99a3d0d74de726e3a93eed05fd272dcd3745df61b122f
SHA5122ad9a468e607cd809713f1d2cc04337885fc29c194810631004260bffb3ded4fa26cd957ecc3fc0598a9b6eaf3bc423925e16b70ee6cea194f74cc442e7090c4
-
C:\Users\Admin\AppData\Local\DMn2PXfl7\sppsvc.exeFilesize
4.4MB
MD5ec6cef0a81f167668e18fa32f1606fce
SHA16d56837a388ae5573a38a439cee16e6dde5b4de8
SHA25682c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8
SHA512f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5
-
C:\Users\Admin\AppData\Local\I0jWI\InfDefaultInstall.exeFilesize
13KB
MD5ee18876c1e5de583de7547075975120e
SHA1f7fcb3d77da74deee25de9296a7c7335916504e3
SHA256e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d
SHA51208bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c
-
C:\Users\Admin\AppData\Local\I0jWI\newdev.dllFilesize
1.2MB
MD5de7e93955ef03c35e91c0013e52a7f9e
SHA12d051e3a1a638a0af3dd78730d34e8435ba8155e
SHA256370ee96c075d203e3c2e473adad5b32cfe4cb8587cf50b9e78d49f08c9012a08
SHA512d4eecf2c62daedfae755a1de1e5a9d6657d4c36c459329c37df3b0cccaf2a944338b028adaf8ff891b6a4b0bd26b6e2de9078effdcc81b83db3f624d8b814f94
-
C:\Users\Admin\AppData\Local\s3Qjs\SYSDM.CPLFilesize
1.2MB
MD5df7c95f55eec0d5e2cd6aa5c5ae4cc05
SHA1f724e3c6adf61cc4c65ae3363be18cf801487872
SHA256fc971162fa54cd16db6349f722765e240240f7de12b02c42afed0c058b93642a
SHA512c5ec3c80000a13ba5f17699b3ec80eb6436d124298120b0ef4f5fb4447b80ce4cd716579cd606522053806a3f3416b0356093096ac16ad715ffd4a1335957093
-
C:\Users\Admin\AppData\Local\s3Qjs\SystemPropertiesRemote.exeFilesize
82KB
MD5cdce1ee7f316f249a3c20cc7a0197da9
SHA1dadb23af07827758005ec0235ac1573ffcea0da6
SHA2567984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932
SHA512f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yvephsk.lnkFilesize
1KB
MD5276f9ac3845adfe865f98a46ed9bb3c3
SHA135b09d4ae0a592ae3acba02af83e6d5a86309907
SHA256a1883ea391f73c933d83b226c52c98ac443a411b99eec5ab4d381b2f8f036b54
SHA51242fe295d15cddae246c103361f0e4a591614850d475411b14d447fd3322c88890fe40548f45525f074d62136121029e51f9fc03d5cbffb2b021fd70f73cfd6b2
-
memory/3376-8-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3376-33-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3376-15-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3376-13-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3376-12-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3376-10-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3376-9-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3376-6-0x00007FF8DC71A000-0x00007FF8DC71B000-memory.dmpFilesize
4KB
-
memory/3376-24-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3376-7-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3376-4-0x00000000089E0000-0x00000000089E1000-memory.dmpFilesize
4KB
-
memory/3376-36-0x00000000084A0000-0x00000000084A7000-memory.dmpFilesize
28KB
-
memory/3376-37-0x00007FF8DE650000-0x00007FF8DE660000-memory.dmpFilesize
64KB
-
memory/3376-11-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3376-14-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/4252-38-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/4252-0-0x0000016A4BDD0000-0x0000016A4BDD7000-memory.dmpFilesize
28KB
-
memory/4252-1-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/4320-84-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/4340-51-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/4340-45-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/4340-48-0x0000027320670000-0x0000027320677000-memory.dmpFilesize
28KB
-
memory/4708-65-0x00000273C9F50000-0x00000273C9F57000-memory.dmpFilesize
28KB
-
memory/4708-68-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB