Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
2d1656941c05b70eae56d107d83f5577_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
2d1656941c05b70eae56d107d83f5577_JaffaCakes118.dll
-
Size
991KB
-
MD5
2d1656941c05b70eae56d107d83f5577
-
SHA1
f5b3b27def84a732714206ea9dad1c4b2072ea86
-
SHA256
42c3f84d09b06797c56cad933f7451ba82d1de626e48d88a57c602475057454c
-
SHA512
26ed912364236a321553a13fe7d19c886cb9b883481a54ba1a875a03055720dcb672e0e8aba8a37c9002b5267203cb88190ee08ae4391bade92713cacc4de883
-
SSDEEP
24576:VVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:VV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3212-4-0x0000000002E20000-0x0000000002E21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpshell.exesdclt.exeWMPDMC.exepid process 2676 rdpshell.exe 4896 sdclt.exe 4848 WMPDMC.exe -
Loads dropped DLL 3 IoCs
Processes:
rdpshell.exesdclt.exeWMPDMC.exepid process 2676 rdpshell.exe 4896 sdclt.exe 4848 WMPDMC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\j4IMGMKoE\\sdclt.exe" -
Processes:
rundll32.exerdpshell.exesdclt.exeWMPDMC.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMPDMC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 3212 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3212 wrote to memory of 2104 3212 rdpshell.exe PID 3212 wrote to memory of 2104 3212 rdpshell.exe PID 3212 wrote to memory of 2676 3212 rdpshell.exe PID 3212 wrote to memory of 2676 3212 rdpshell.exe PID 3212 wrote to memory of 3432 3212 sdclt.exe PID 3212 wrote to memory of 3432 3212 sdclt.exe PID 3212 wrote to memory of 4896 3212 sdclt.exe PID 3212 wrote to memory of 4896 3212 sdclt.exe PID 3212 wrote to memory of 1392 3212 WMPDMC.exe PID 3212 wrote to memory of 1392 3212 WMPDMC.exe PID 3212 wrote to memory of 4848 3212 WMPDMC.exe PID 3212 wrote to memory of 4848 3212 WMPDMC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2d1656941c05b70eae56d107d83f5577_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵PID:2104
-
C:\Users\Admin\AppData\Local\BhcL8AbHH\rdpshell.exeC:\Users\Admin\AppData\Local\BhcL8AbHH\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2676
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:3432
-
C:\Users\Admin\AppData\Local\V92H\sdclt.exeC:\Users\Admin\AppData\Local\V92H\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4896
-
C:\Windows\system32\WMPDMC.exeC:\Windows\system32\WMPDMC.exe1⤵PID:1392
-
C:\Users\Admin\AppData\Local\wKfcn7bg\WMPDMC.exeC:\Users\Admin\AppData\Local\wKfcn7bg\WMPDMC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\BhcL8AbHH\dwmapi.dllFilesize
993KB
MD574dc7982ce6fb290c5123f6b74f670c3
SHA155678c456a9dea4a214b93ac0940c290a48c81e0
SHA2567098e8d6978dc04d7b5e5ba3c65568c49c6ad3ef5ae98661d7f8d54693add7a5
SHA512e2b1527e444a66799079f9d1d817ce7539c0c9a83f1bc8177fc7994de65a1880ea3bf652aec1f8e15df29dd74dec32892b365a55c724e192d3b18354c5d29f66
-
C:\Users\Admin\AppData\Local\BhcL8AbHH\rdpshell.exeFilesize
468KB
MD5428066713f225bb8431340fa670671d4
SHA147f6878ff33317c3fc09c494df729a463bda174c
SHA256da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd
SHA512292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737
-
C:\Users\Admin\AppData\Local\V92H\SPP.dllFilesize
992KB
MD565b730ca6beecc26053dddf03fce780e
SHA16ab8ed9c236e1a606518adae03684a35370b7d25
SHA256275c2009d402e8961d5e9673257354565d4ca800497f14404bb4980e26ddb6b6
SHA51216e63d843d24dbd37c405dc16cb6bf794638cf2ee244a2ac6cb9c30c12a1e710866868ad386914396a9dac085d45f7b5d07646edaaf9af3650bc8c1942344da8
-
C:\Users\Admin\AppData\Local\V92H\sdclt.exeFilesize
1.2MB
MD5e09d48f225e7abcab14ebd3b8a9668ec
SHA11c5b9322b51c09a407d182df481609f7cb8c425d
SHA256efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3
SHA512384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4
-
C:\Users\Admin\AppData\Local\wKfcn7bg\WMPDMC.exeFilesize
1.5MB
MD559ce6e554da0a622febce19eb61c4d34
SHA1176a4a410cb97b3d4361d2aea0edbf17e15d04c7
SHA256c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba
SHA512e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18
-
C:\Users\Admin\AppData\Local\wKfcn7bg\dwmapi.dllFilesize
993KB
MD5f7e10d4130e9f313c0b00ee2f805b7bf
SHA1f93e423b76329b4e8c7833b671f228b2de01d144
SHA256a5161fb1911a23159a4b2b56d09989b424721a30d4cae69d2b1c1de7a25c62a9
SHA5126371fc27bb83bdd9b3d6e61ed8f16a0401488f4aec343f5ed1ed290d68723c92fd3a4385b5f081cb2e45e148a76d77d39a9162c6996b303d114278bdb3cb19c8
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnkFilesize
1KB
MD5ba8c234f23ad342ffe44be75b8a13a83
SHA1d27d95c4dc64b713a8145e45615e9529c25aa0e8
SHA256c0b950961fe211c249dee422f4444d8d31655e84579dbccf1204e28165049122
SHA512f62ce9f98c3db08bc1e9bb8dcb5923d07a36e2e024a632032b22c5b0932d6648176b6706407e0aed04c4c40df88173e511ed6c3dffa65507b8c01d349974677f
-
memory/1632-37-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1632-0-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1632-3-0x0000015755AC0000-0x0000015755AC7000-memory.dmpFilesize
28KB
-
memory/2676-50-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2676-44-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2676-47-0x000001D6389E0000-0x000001D6389E7000-memory.dmpFilesize
28KB
-
memory/3212-31-0x0000000000ED0000-0x0000000000ED7000-memory.dmpFilesize
28KB
-
memory/3212-32-0x00007FFBA0730000-0x00007FFBA0740000-memory.dmpFilesize
64KB
-
memory/3212-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3212-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3212-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3212-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3212-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3212-30-0x00007FFBA051A000-0x00007FFBA051B000-memory.dmpFilesize
4KB
-
memory/3212-34-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3212-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3212-22-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3212-4-0x0000000002E20000-0x0000000002E21000-memory.dmpFilesize
4KB
-
memory/3212-6-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3212-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/4848-83-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/4896-67-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/4896-64-0x000001961CBE0000-0x000001961CBE7000-memory.dmpFilesize
28KB