Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 11:18
Static task
static1
Behavioral task
behavioral1
Sample
71c69de7c83209a1bf71d62abae46b83_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
71c69de7c83209a1bf71d62abae46b83_JaffaCakes118.dll
-
Size
989KB
-
MD5
71c69de7c83209a1bf71d62abae46b83
-
SHA1
2bc4a12a267d0cf44de82094c44c3555f2e775ac
-
SHA256
a00e30735a9c57cf4ecc0b3f55291dd33cb224df7958275b4f4ee68240b2cc20
-
SHA512
8ba0c7e0dc7b8ba55a94792a3e4921792ee6ed314928e5e6a43897e5e8a6ca43a302a978195bb1a1d8bba348f66e656431686aba95fb9d7c580bca5d394b4e11
-
SSDEEP
24576:yVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:yV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1408-5-0x0000000002570000-0x0000000002571000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
Netplwiz.exerdrleakdiag.exewusa.exepid process 2200 Netplwiz.exe 1012 rdrleakdiag.exe 2008 wusa.exe -
Loads dropped DLL 7 IoCs
Processes:
Netplwiz.exerdrleakdiag.exewusa.exepid process 1408 2200 Netplwiz.exe 1408 1012 rdrleakdiag.exe 1408 2008 wusa.exe 1408 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\4y0Uqh\\RDRLEA~1.EXE" -
Processes:
wusa.exerundll32.exeNetplwiz.exerdrleakdiag.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdrleakdiag.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2232 rundll32.exe 2232 rundll32.exe 2232 rundll32.exe 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 1408 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1408 wrote to memory of 2356 1408 Netplwiz.exe PID 1408 wrote to memory of 2356 1408 Netplwiz.exe PID 1408 wrote to memory of 2356 1408 Netplwiz.exe PID 1408 wrote to memory of 2200 1408 Netplwiz.exe PID 1408 wrote to memory of 2200 1408 Netplwiz.exe PID 1408 wrote to memory of 2200 1408 Netplwiz.exe PID 1408 wrote to memory of 2848 1408 rdrleakdiag.exe PID 1408 wrote to memory of 2848 1408 rdrleakdiag.exe PID 1408 wrote to memory of 2848 1408 rdrleakdiag.exe PID 1408 wrote to memory of 1012 1408 rdrleakdiag.exe PID 1408 wrote to memory of 1012 1408 rdrleakdiag.exe PID 1408 wrote to memory of 1012 1408 rdrleakdiag.exe PID 1408 wrote to memory of 2372 1408 wusa.exe PID 1408 wrote to memory of 2372 1408 wusa.exe PID 1408 wrote to memory of 2372 1408 wusa.exe PID 1408 wrote to memory of 2008 1408 wusa.exe PID 1408 wrote to memory of 2008 1408 wusa.exe PID 1408 wrote to memory of 2008 1408 wusa.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71c69de7c83209a1bf71d62abae46b83_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵
-
C:\Users\Admin\AppData\Local\WkDfx\Netplwiz.exeC:\Users\Admin\AppData\Local\WkDfx\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\rdrleakdiag.exeC:\Windows\system32\rdrleakdiag.exe1⤵
-
C:\Users\Admin\AppData\Local\rwC\rdrleakdiag.exeC:\Users\Admin\AppData\Local\rwC\rdrleakdiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵
-
C:\Users\Admin\AppData\Local\gQKIeNvh\wusa.exeC:\Users\Admin\AppData\Local\gQKIeNvh\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\WkDfx\NETPLWIZ.dllFilesize
989KB
MD5a4ee8cb8af82c5a0ce7a03690ba8ee89
SHA140eb71806ecd23d5c136c2ac0db214696e3fb81e
SHA25698c986ed41642779a9343c7871d0c661e679cd254debeb6a47c6d7b2ce000c09
SHA5120a27a3cf1e8332825cc96ee0ff9c9e6f1e988c8612ff645cb421a63e99477170691b5e450f6e12dfb0ed07e362240f182dfbc8fd96d808f910650d66da1f04b7
-
C:\Users\Admin\AppData\Local\rwC\wer.dllFilesize
992KB
MD5b678c40ae1a79327ebe589c4964869d9
SHA18f72abd44861f5702e4b45c601a6740815fb372e
SHA2566fabb5a2c56b7c319914ff139577672bb3c939f57be4c3633585cb77f3501cda
SHA512f09845d1828cf9b7299dee6a664ef579e9e472ea48a73576c5ada4fe20131f8c4b6005a2d8c5a6c76a0dc15787899a904cf7723e587ebaa2262cac96319757ec
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnkFilesize
1KB
MD5af51ff7b6e76ac5ec3ab2f9ab13ad193
SHA1546abab3beddb94dd425b6ba0814f1e4a164ad44
SHA2567ba59ba6e57472c32de778eac766017425cd6dd13bfd8f109920674d90d26afa
SHA51286e348f7a7405be3e615bd6990f21cd5a99fcbc57b3ecec50f8cd0bf67fc7adb6ef93e2ceddc849614db4a70a6866abb900ce63cbe31200b9a28e9726fbcc6bf
-
\Users\Admin\AppData\Local\WkDfx\Netplwiz.exeFilesize
26KB
MD5e43ec3c800d4c0716613392e81fba1d9
SHA137de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08
-
\Users\Admin\AppData\Local\gQKIeNvh\WTSAPI32.dllFilesize
991KB
MD55976648fee6a647fff427ed727140ff7
SHA1e2d6d7d67d5f743910f8417a479d5d04b13566f7
SHA2562c6ef82bb8eaf5ff744840820af0305b2fd4488a8b7f3d691c4442d0e733da11
SHA5129f8d42d1242c308ee5f18e505ed476b54e8dae4bdb98939dfd2786177018185bc1927c62b45853194e1e05d36f064528e39b4cdfd6cb4035e1cc37239f534b76
-
\Users\Admin\AppData\Local\gQKIeNvh\wusa.exeFilesize
300KB
MD5c15b3d813f4382ade98f1892350f21c7
SHA1a45c5abc6751bc8b9041e5e07923fa4fc1b4542b
SHA2568f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3
SHA5126d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c
-
\Users\Admin\AppData\Local\rwC\rdrleakdiag.exeFilesize
39KB
MD55e058566af53848541fa23fba4bb5b81
SHA1769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0
-
memory/1012-77-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/1012-71-0x0000000000180000-0x0000000000187000-memory.dmpFilesize
28KB
-
memory/1408-35-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1408-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1408-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1408-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1408-24-0x0000000002550000-0x0000000002557000-memory.dmpFilesize
28KB
-
memory/1408-25-0x00000000773F1000-0x00000000773F2000-memory.dmpFilesize
4KB
-
memory/1408-26-0x0000000077580000-0x0000000077582000-memory.dmpFilesize
8KB
-
memory/1408-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1408-36-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1408-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1408-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1408-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1408-52-0x00000000772E6000-0x00000000772E7000-memory.dmpFilesize
4KB
-
memory/1408-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1408-4-0x00000000772E6000-0x00000000772E7000-memory.dmpFilesize
4KB
-
memory/1408-5-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/1408-23-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2008-89-0x0000000000080000-0x0000000000087000-memory.dmpFilesize
28KB
-
memory/2008-95-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2200-53-0x0000000000170000-0x0000000000177000-memory.dmpFilesize
28KB
-
memory/2200-59-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2200-54-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2232-38-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2232-0-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/2232-1-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB