Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 23:37
Static task
static1
Behavioral task
behavioral1
Sample
4d950b19cf1259d8507195d85bee6117_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
4d950b19cf1259d8507195d85bee6117_JaffaCakes118.dll
-
Size
1.4MB
-
MD5
4d950b19cf1259d8507195d85bee6117
-
SHA1
a811e17a47a4245169044ebaaa24341e20f1606b
-
SHA256
588b58453ab4fce0cf03730ab7802b5d8477f21ec26ef8d19ab0d992ac93fff3
-
SHA512
1b06dd3c0840021c2d155134580465bcaa4dfc69051ce35932a57f3b4ec4d2f8822af9197122c077b2e5d622a867043027c2a7ec6f0789dfb9f7edbad5d40a16
-
SSDEEP
24576:8uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NFt:09cKrUqZWLAcU
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1204-5-0x00000000025B0000-0x00000000025B1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
spreview.exedpnsvr.exeFXSCOVER.exepid process 2692 spreview.exe 1884 dpnsvr.exe 1988 FXSCOVER.exe -
Loads dropped DLL 7 IoCs
Processes:
spreview.exedpnsvr.exeFXSCOVER.exepid process 1204 2692 spreview.exe 1204 1884 dpnsvr.exe 1204 1988 FXSCOVER.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tonqjizj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\11iRiiY\\dpnsvr.exe" -
Processes:
rundll32.exespreview.exedpnsvr.exeFXSCOVER.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spreview.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpnsvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1712 rundll32.exe 1712 rundll32.exe 1712 rundll32.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1204 wrote to memory of 2040 1204 spreview.exe PID 1204 wrote to memory of 2040 1204 spreview.exe PID 1204 wrote to memory of 2040 1204 spreview.exe PID 1204 wrote to memory of 2692 1204 spreview.exe PID 1204 wrote to memory of 2692 1204 spreview.exe PID 1204 wrote to memory of 2692 1204 spreview.exe PID 1204 wrote to memory of 2984 1204 dpnsvr.exe PID 1204 wrote to memory of 2984 1204 dpnsvr.exe PID 1204 wrote to memory of 2984 1204 dpnsvr.exe PID 1204 wrote to memory of 1884 1204 dpnsvr.exe PID 1204 wrote to memory of 1884 1204 dpnsvr.exe PID 1204 wrote to memory of 1884 1204 dpnsvr.exe PID 1204 wrote to memory of 2704 1204 FXSCOVER.exe PID 1204 wrote to memory of 2704 1204 FXSCOVER.exe PID 1204 wrote to memory of 2704 1204 FXSCOVER.exe PID 1204 wrote to memory of 1988 1204 FXSCOVER.exe PID 1204 wrote to memory of 1988 1204 FXSCOVER.exe PID 1204 wrote to memory of 1988 1204 FXSCOVER.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d950b19cf1259d8507195d85bee6117_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\spreview.exeC:\Windows\system32\spreview.exe1⤵
-
C:\Users\Admin\AppData\Local\Gn0A\spreview.exeC:\Users\Admin\AppData\Local\Gn0A\spreview.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\dpnsvr.exeC:\Windows\system32\dpnsvr.exe1⤵
-
C:\Users\Admin\AppData\Local\0DwkYfnU\dpnsvr.exeC:\Users\Admin\AppData\Local\0DwkYfnU\dpnsvr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵
-
C:\Users\Admin\AppData\Local\kkmu\FXSCOVER.exeC:\Users\Admin\AppData\Local\kkmu\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\0DwkYfnU\WINMM.dllFilesize
1.4MB
MD544af2a791acbeec689ba5efbddada2cc
SHA1e4ca7e075354eef61300d118d26654d85c5fcfc8
SHA256d135f4095564a944b2134885b6ed660670c306e78bd5475b5db579455c4802aa
SHA512f371b93feb2b79cc29fd10c92211cdc9ee44fa68013209f4d34ba27c3be14112c95f318201ab4acb071d509479344981bf6bab855d8e65c4b89610e720354eb7
-
C:\Users\Admin\AppData\Local\Gn0A\WINBRAND.dllFilesize
1.4MB
MD5bd0512e245da33bd5461b728cf4e13ad
SHA1aafcf3574d35247e440e157a13b866255714d6f3
SHA256970221c7f4bced64ca4d9f27c2207edb78032ba360a66cadc0e51e4b3412de66
SHA51295b541da9a95994f39983ec27f84f4d1c2dc0f4344ccf41d2c74ee9741267be44e861aadffded986520d1add39cc9685efb62a4445d57fd0daff48caaaec504c
-
C:\Users\Admin\AppData\Local\kkmu\MFC42u.dllFilesize
1.4MB
MD5057a13bbdaa8baacf921542684fbf903
SHA18e14353a5a09278b8caa13890ea32251adb0a0ca
SHA25656066b8a03f2b1f6bce178ee185b2e3bcfb8190f195970b99571d3d349d78bf2
SHA512dd8f672a1d29b0fd6a0f262ab1b235d19eee8102fa4967b3867e44b88764aeda4de00cbff6241e7d997433962f02c8e055f3ad7950e297e226094eb4e9064c1c
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnkFilesize
1KB
MD5989f8bb568bdfac86fe68c0689b7ec61
SHA17a00f6a2bf5a33c1e70e6635c0b71c264296ad18
SHA256d67aa73a66eb5378ecf55b8c7ca0a54c87ef9c60e728467571778b3dfc7f02e6
SHA5127260ac10ad95063d74730d925e7cec5175e65ddf9187126d9d39545d27f96ca868fd594d624707fe6781c50127c93622cd4668f4a012c859dd23050d084e89ad
-
\Users\Admin\AppData\Local\0DwkYfnU\dpnsvr.exeFilesize
33KB
MD56806b72978f6bd27aef57899be68b93b
SHA1713c246d0b0b8dcc298afaed4f62aed82789951c
SHA2563485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA51243c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b
-
\Users\Admin\AppData\Local\Gn0A\spreview.exeFilesize
294KB
MD5704cd4cac010e8e6d8de9b778ed17773
SHA181856abf70640f102b8b3defe2cf65669fe8e165
SHA2564307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee
-
\Users\Admin\AppData\Local\kkmu\FXSCOVER.exeFilesize
261KB
MD55e2c61be8e093dbfe7fc37585be42869
SHA1ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA2563d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA51290bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b
-
memory/1204-17-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-22-0x0000000002590000-0x0000000002597000-memory.dmpFilesize
28KB
-
memory/1204-18-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-4-0x0000000076E86000-0x0000000076E87000-memory.dmpFilesize
4KB
-
memory/1204-16-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-15-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-14-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-13-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-12-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-11-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-10-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-9-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-40-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-39-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-36-0x0000000077120000-0x0000000077122000-memory.dmpFilesize
8KB
-
memory/1204-35-0x0000000076F91000-0x0000000076F92000-memory.dmpFilesize
4KB
-
memory/1204-7-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-19-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-28-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1204-77-0x0000000076E86000-0x0000000076E87000-memory.dmpFilesize
4KB
-
memory/1204-5-0x00000000025B0000-0x00000000025B1000-memory.dmpFilesize
4KB
-
memory/1204-8-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1712-48-0x000007FEF5BF0000-0x000007FEF5D5E000-memory.dmpFilesize
1.4MB
-
memory/1712-2-0x0000000001D00000-0x0000000001D07000-memory.dmpFilesize
28KB
-
memory/1712-0-0x000007FEF5BF0000-0x000007FEF5D5E000-memory.dmpFilesize
1.4MB
-
memory/1884-74-0x000007FEF5BF0000-0x000007FEF5D60000-memory.dmpFilesize
1.4MB
-
memory/1884-78-0x0000000000190000-0x0000000000197000-memory.dmpFilesize
28KB
-
memory/1884-81-0x000007FEF5BF0000-0x000007FEF5D60000-memory.dmpFilesize
1.4MB
-
memory/1988-93-0x000007FEF5BE0000-0x000007FEF5D55000-memory.dmpFilesize
1.5MB
-
memory/1988-98-0x000007FEF5BE0000-0x000007FEF5D55000-memory.dmpFilesize
1.5MB
-
memory/2692-62-0x000007FEF6690000-0x000007FEF67FF000-memory.dmpFilesize
1.4MB
-
memory/2692-59-0x00000000000F0000-0x00000000000F7000-memory.dmpFilesize
28KB
-
memory/2692-56-0x000007FEF6690000-0x000007FEF67FF000-memory.dmpFilesize
1.4MB