Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 06:09
Static task
static1
Behavioral task
behavioral1
Sample
f9aab61631b81ae917d1d69ce2c9254c_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f9aab61631b81ae917d1d69ce2c9254c_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
f9aab61631b81ae917d1d69ce2c9254c_JaffaCakes118.dll
-
Size
22KB
-
MD5
f9aab61631b81ae917d1d69ce2c9254c
-
SHA1
d394c6f786e12ad976dbf8c4344129a5092ac3b5
-
SHA256
c14a7fe8781ce2ae0b4473b11020fe21f4493d601c3331d05417d470365c95fe
-
SHA512
c9b3244971b900af5c4460a591846f0058ada6d9fbe2cd3bd22e657820453c38b596437013d469969b66fe12ee6dd4990e6adc2529de0efb1957cb210396b34e
-
SSDEEP
384:SXW2vD5qZZ/NWR2slOKbKy8g5l0CJffGOxDvafUxiJb0YNflwXKy00DBd8:Sm21E/NudX0QGOZvWl00G6MDBd8
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
regsvr32.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys regsvr32.exe File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys svchost.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetDDEdsd\Parameters\ServiceDll = "C:\\Windows\\system32\\DnwwgJOBjytxRh.dll" regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 3004 svchost.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\B: svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
svchost.exedescription ioc process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 5 IoCs
Processes:
svchost.exeregsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost.exe File opened for modification C:\Windows\SysWOW64\DnwwgJOBjytxRh.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 3080 regsvr32.exe 3080 regsvr32.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 664 664 664 664 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 3080 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
regsvr32.exesvchost.exedescription pid process Token: SeDebugPrivilege 3080 regsvr32.exe Token: SeLoadDriverPrivilege 3080 regsvr32.exe Token: SeDebugPrivilege 3080 regsvr32.exe Token: SeLoadDriverPrivilege 3080 regsvr32.exe Token: SeShutdownPrivilege 3080 regsvr32.exe Token: SeDebugPrivilege 3004 svchost.exe Token: SeLoadDriverPrivilege 3004 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3892 wrote to memory of 3080 3892 regsvr32.exe regsvr32.exe PID 3892 wrote to memory of 3080 3892 regsvr32.exe regsvr32.exe PID 3892 wrote to memory of 3080 3892 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9aab61631b81ae917d1d69ce2c9254c_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\f9aab61631b81ae917d1d69ce2c9254c_JaffaCakes118.dll2⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k NetDDEdsd1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\DnwwgJOBjytxRh.dllFilesize
22KB
MD5f9aab61631b81ae917d1d69ce2c9254c
SHA1d394c6f786e12ad976dbf8c4344129a5092ac3b5
SHA256c14a7fe8781ce2ae0b4473b11020fe21f4493d601c3331d05417d470365c95fe
SHA512c9b3244971b900af5c4460a591846f0058ada6d9fbe2cd3bd22e657820453c38b596437013d469969b66fe12ee6dd4990e6adc2529de0efb1957cb210396b34e
-
C:\Windows\SysWOW64\drivers\beep.sysFilesize
2KB
MD51205579c3ffc1dea6ef8fd3efd694ea6
SHA14902deb7ab384e52dafc2a55dacfee29075e4051
SHA256ad3cf744b1f96c9cad423992feb183f05df17eb251e938a9de239306d652154c
SHA512d9fc3877a1779fd9d8b9d4caf47e5fe6dbf18826b8eeb3a5059e1df745ea339dd48227af8396435349f7277a8649eb1d51d1b2d2488a71838c6e54fe4bc16c02
-
memory/3004-13-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/3004-12-0x0000000000E00000-0x0000000000E27000-memory.dmpFilesize
156KB
-
memory/3004-14-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/3004-15-0x0000000000E30000-0x0000000000E70000-memory.dmpFilesize
256KB
-
memory/3004-22-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/3004-23-0x0000000000E30000-0x0000000000E70000-memory.dmpFilesize
256KB
-
memory/3080-5-0x0000000002DD0000-0x0000000002DD1000-memory.dmpFilesize
4KB
-
memory/3080-4-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/3080-2-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/3080-3-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/3080-1-0x0000000001370000-0x0000000001397000-memory.dmpFilesize
156KB
-
memory/3080-0-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB