Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 23:37
Static task
static1
Behavioral task
behavioral1
Sample
4d950b19cf1259d8507195d85bee6117_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
4d950b19cf1259d8507195d85bee6117_JaffaCakes118.dll
-
Size
1.4MB
-
MD5
4d950b19cf1259d8507195d85bee6117
-
SHA1
a811e17a47a4245169044ebaaa24341e20f1606b
-
SHA256
588b58453ab4fce0cf03730ab7802b5d8477f21ec26ef8d19ab0d992ac93fff3
-
SHA512
1b06dd3c0840021c2d155134580465bcaa4dfc69051ce35932a57f3b4ec4d2f8822af9197122c077b2e5d622a867043027c2a7ec6f0789dfb9f7edbad5d40a16
-
SSDEEP
24576:8uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NFt:09cKrUqZWLAcU
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3536-4-0x0000000002EB0000-0x0000000002EB1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
InfDefaultInstall.exesystemreset.exewextract.exepid process 4460 InfDefaultInstall.exe 3324 systemreset.exe 3624 wextract.exe -
Loads dropped DLL 3 IoCs
Processes:
InfDefaultInstall.exesystemreset.exewextract.exepid process 4460 InfDefaultInstall.exe 3324 systemreset.exe 3624 wextract.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\8OxmrOE\\SYSTEM~1.EXE" -
Processes:
systemreset.exewextract.exerundll32.exeInfDefaultInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA systemreset.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wextract.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InfDefaultInstall.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4008 rundll32.exe 4008 rundll32.exe 4008 rundll32.exe 4008 rundll32.exe 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3536 wrote to memory of 4464 3536 InfDefaultInstall.exe PID 3536 wrote to memory of 4464 3536 InfDefaultInstall.exe PID 3536 wrote to memory of 4460 3536 InfDefaultInstall.exe PID 3536 wrote to memory of 4460 3536 InfDefaultInstall.exe PID 3536 wrote to memory of 3276 3536 systemreset.exe PID 3536 wrote to memory of 3276 3536 systemreset.exe PID 3536 wrote to memory of 3324 3536 systemreset.exe PID 3536 wrote to memory of 3324 3536 systemreset.exe PID 3536 wrote to memory of 2724 3536 wextract.exe PID 3536 wrote to memory of 2724 3536 wextract.exe PID 3536 wrote to memory of 3624 3536 wextract.exe PID 3536 wrote to memory of 3624 3536 wextract.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d950b19cf1259d8507195d85bee6117_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\InfDefaultInstall.exeC:\Windows\system32\InfDefaultInstall.exe1⤵
-
C:\Users\Admin\AppData\Local\Tfmzj\InfDefaultInstall.exeC:\Users\Admin\AppData\Local\Tfmzj\InfDefaultInstall.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\systemreset.exeC:\Windows\system32\systemreset.exe1⤵
-
C:\Users\Admin\AppData\Local\8J3\systemreset.exeC:\Users\Admin\AppData\Local\8J3\systemreset.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\wextract.exeC:\Windows\system32\wextract.exe1⤵
-
C:\Users\Admin\AppData\Local\mSDX1Pb\wextract.exeC:\Users\Admin\AppData\Local\mSDX1Pb\wextract.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\8J3\DUI70.dllFilesize
1.7MB
MD5817709ac08fdc7c20f80935809549170
SHA167eb2610a817f4d53907b158cfba7380ffa0f0ec
SHA25680c0f8744d1101d79d8263387be2f4a52857311b7d2f256b0ab325c6b13a650f
SHA512d97af278b297a6effbe6e988903789069fa1e8bc13dff1e8053371b30888a0e15a26f90f3bf89a52c1b8a6557b51ef56db4239707aee7ba36509cbb0fd7bb670
-
C:\Users\Admin\AppData\Local\8J3\systemreset.exeFilesize
508KB
MD5325ff647506adb89514defdd1c372194
SHA184234ff97d6ddc8a4ea21303ea842aa76a74e0ea
SHA256ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad
SHA5128a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868
-
C:\Users\Admin\AppData\Local\Tfmzj\InfDefaultInstall.exeFilesize
13KB
MD5ee18876c1e5de583de7547075975120e
SHA1f7fcb3d77da74deee25de9296a7c7335916504e3
SHA256e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d
SHA51208bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c
-
C:\Users\Admin\AppData\Local\Tfmzj\newdev.dllFilesize
1.4MB
MD5469ad2b380526ae35e8782be53ce4590
SHA172e27748b6ea8380f947c97fbc222c32a19617e3
SHA256932747ac577a11713e7ed3ed5e11463d7f6897d2a40136fdcc6fead9eb50a850
SHA512d1c09d62cc41d88bb42ee4273ff74e2a679f8a691022a41515dbb3d95778085fe7d03ac6d0d71ad2783b4372f4c00c706e50cf13eb2ced9cf82c0f99d5a01797
-
C:\Users\Admin\AppData\Local\mSDX1Pb\VERSION.dllFilesize
1.4MB
MD517b1cfc8c42629e080d5feebef01834e
SHA1079c3393c7499d41980093ce731e00633409543b
SHA256f33313f39d32e4d60b253a35fb44f0e9f4f8f8a5bb267d47f1605d60548b9b71
SHA512cd9f6dd6dfcd09eed83ea403407ab2adc37d36b5242185e31a7a4c3a797fa99f73a5d68bcfe913c7b822a7390068e3917af2f17f1f8978fb887d116b1609b454
-
C:\Users\Admin\AppData\Local\mSDX1Pb\wextract.exeFilesize
143KB
MD556e501e3e49cfde55eb1caabe6913e45
SHA1ab2399cbf17dbee7b302bea49e40d4cee7caea76
SHA256fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0
SHA5122b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnkFilesize
1KB
MD5e6ff922a8da05ad17f9d7186f84328f2
SHA15f25f503bafc85cee4b5c5df53fbada7d65aaf6d
SHA256cb6817ff09521729000f6ea9d1f75ac2d22c605a773f55184deec966985d8a04
SHA51242fce1078a93548004ae5f7bb7deb4baf3d2301aa4e83b5aa7d4845219f6e31232608a76911137dcac7a14ac2456659c83a4d5b7af1e53f88aac9049f0084084
-
memory/3324-71-0x00007FFE30190000-0x00007FFE30344000-memory.dmpFilesize
1.7MB
-
memory/3324-66-0x00007FFE30190000-0x00007FFE30344000-memory.dmpFilesize
1.7MB
-
memory/3324-65-0x000001FB50500000-0x000001FB50507000-memory.dmpFilesize
28KB
-
memory/3536-35-0x00007FFE4CD4A000-0x00007FFE4CD4B000-memory.dmpFilesize
4KB
-
memory/3536-38-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-14-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-13-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-12-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-11-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-10-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-9-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-8-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-7-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-18-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-4-0x0000000002EB0000-0x0000000002EB1000-memory.dmpFilesize
4KB
-
memory/3536-17-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-6-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-15-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-26-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-16-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/3536-36-0x0000000000E20000-0x0000000000E27000-memory.dmpFilesize
28KB
-
memory/3536-37-0x00007FFE4E510000-0x00007FFE4E520000-memory.dmpFilesize
64KB
-
memory/3624-82-0x00007FFE301E0000-0x00007FFE3034F000-memory.dmpFilesize
1.4MB
-
memory/3624-87-0x00007FFE301E0000-0x00007FFE3034F000-memory.dmpFilesize
1.4MB
-
memory/4008-1-0x00007FFE40000000-0x00007FFE4016E000-memory.dmpFilesize
1.4MB
-
memory/4008-41-0x00007FFE40000000-0x00007FFE4016E000-memory.dmpFilesize
1.4MB
-
memory/4008-3-0x0000020C73260000-0x0000020C73267000-memory.dmpFilesize
28KB
-
memory/4460-54-0x00007FFE30240000-0x00007FFE303AF000-memory.dmpFilesize
1.4MB
-
memory/4460-49-0x00007FFE30240000-0x00007FFE303AF000-memory.dmpFilesize
1.4MB
-
memory/4460-48-0x000002835FBE0000-0x000002835FBE7000-memory.dmpFilesize
28KB