Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 17:36
Static task
static1
Behavioral task
behavioral1
Sample
304109f9a5c3726818b4c3668fdb71fd_JaffaCakes118.dll
Resource
win7-20240215-en
General
-
Target
304109f9a5c3726818b4c3668fdb71fd_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
304109f9a5c3726818b4c3668fdb71fd
-
SHA1
2eb804e205d15d314e7f67d503940f69f5dc2ef8
-
SHA256
af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
-
SHA512
cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
-
SSDEEP
24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3448-4-0x0000000002FE0000-0x0000000002FE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
eudcedit.exemsdt.exeunregmp2.exepid process 3856 eudcedit.exe 3496 msdt.exe 1060 unregmp2.exe -
Loads dropped DLL 3 IoCs
Processes:
eudcedit.exemsdt.exeunregmp2.exepid process 3856 eudcedit.exe 3496 msdt.exe 1060 unregmp2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Esxju = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\CnShArsHWOV\\msdt.exe" -
Processes:
rundll32.exeeudcedit.exemsdt.exeunregmp2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eudcedit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 888 rundll32.exe 888 rundll32.exe 888 rundll32.exe 888 rundll32.exe 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3448 wrote to memory of 3896 3448 eudcedit.exe PID 3448 wrote to memory of 3896 3448 eudcedit.exe PID 3448 wrote to memory of 3856 3448 eudcedit.exe PID 3448 wrote to memory of 3856 3448 eudcedit.exe PID 3448 wrote to memory of 4440 3448 msdt.exe PID 3448 wrote to memory of 4440 3448 msdt.exe PID 3448 wrote to memory of 3496 3448 msdt.exe PID 3448 wrote to memory of 3496 3448 msdt.exe PID 3448 wrote to memory of 3364 3448 unregmp2.exe PID 3448 wrote to memory of 3364 3448 unregmp2.exe PID 3448 wrote to memory of 1060 3448 unregmp2.exe PID 3448 wrote to memory of 1060 3448 unregmp2.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\304109f9a5c3726818b4c3668fdb71fd_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1308,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:81⤵PID:3036
-
C:\Windows\system32\eudcedit.exeC:\Windows\system32\eudcedit.exe1⤵PID:3896
-
C:\Users\Admin\AppData\Local\HtGPUe\eudcedit.exeC:\Users\Admin\AppData\Local\HtGPUe\eudcedit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3856
-
C:\Windows\system32\msdt.exeC:\Windows\system32\msdt.exe1⤵PID:4440
-
C:\Users\Admin\AppData\Local\Gf1\msdt.exeC:\Users\Admin\AppData\Local\Gf1\msdt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3496
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:3364
-
C:\Users\Admin\AppData\Local\XJcv\unregmp2.exeC:\Users\Admin\AppData\Local\XJcv\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Gf1\msdt.exeFilesize
421KB
MD5992c3f0cc8180f2f51156671e027ae75
SHA1942ec8c2ccfcacd75a1cd86cbe8873aee5115e29
SHA2566859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f
SHA5121f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf
-
C:\Users\Admin\AppData\Local\Gf1\wer.dllFilesize
1.2MB
MD5329a1ab36e2a5573431ef70520c447ef
SHA196ad13b994dfe9384e11470fe6c8bec7ce67d9f3
SHA256970ebcf884d006d46a0e0b85b105f4df4d0a562353e62b758824a58ca8065cf7
SHA51255f4342f47c679f2e13dd4d303fc40b60f2252bdf0dd75df1c0a518b91ac00835f9edbc328a67c270496a817e180adee2ebace0a08587c1c7cb6d98fce3f7855
-
C:\Users\Admin\AppData\Local\HtGPUe\MFC42u.dllFilesize
1.3MB
MD555848e59e50a14243e4f9de1db476399
SHA116961645194e983d6e15d843cb0a2af8358221fa
SHA25602c036e4d45fd29986ae9b41b7600e0601594c97ae7600537a50868f5a65477a
SHA512290675864f6d281cc07c39cd101ce292b342704e2c2602c0d1db6d640aa9cdfebf6f1bd5f6714564bfc3e0f3333d16e4fa64a6ddf7ddc41d15de700321c7369a
-
C:\Users\Admin\AppData\Local\HtGPUe\eudcedit.exeFilesize
365KB
MD5a9de6557179d371938fbe52511b551ce
SHA1def460b4028788ded82dc55c36cb0df28599fd5f
SHA25683c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe
SHA5125790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c
-
C:\Users\Admin\AppData\Local\XJcv\VERSION.dllFilesize
1.2MB
MD57b3afc9f4ffb41df1617fc591111e377
SHA17531405da0ab7df5d7b8937857257c7a9e95cf67
SHA2563fcf7e70e038eeff9a39cb770b4d5f825375e1574e8bb70e01500876e31f5c7a
SHA51233d386d9666be83547990ff8ffb4b6bc06df079384c57474a811652db95827b605ae1734d58a7a039786a7b6092dca4c88f3f1c2d454e98a15d31af03cdbf4e1
-
C:\Users\Admin\AppData\Local\XJcv\unregmp2.exeFilesize
259KB
MD5a6fc8ce566dec7c5873cb9d02d7b874e
SHA1a30040967f75df85a1e3927bdce159b102011a61
SHA25621f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d
SHA512f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xpqmtuztdhk.lnkFilesize
1KB
MD505b5367cca3526200fee95367dc2d523
SHA1215ef6f0fd6ca02f30bcfe0ae816aa3291356657
SHA25623bacada41dd34fddd943cc8273cf2ce56e4a429877b85b915df63581a09c3ce
SHA512c31b119fc10d67bf3308e17afe8fcad9a202044b5a9a74a743f8f48370e00cc7795dec6f1095efdc489276c83aa6c4bd59cc857592425e2449eebfe88895be90
-
memory/888-39-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/888-0-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/888-3-0x0000023FF2C50000-0x0000023FF2C57000-memory.dmpFilesize
28KB
-
memory/1060-80-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1060-83-0x0000024D54740000-0x0000024D54747000-memory.dmpFilesize
28KB
-
memory/1060-86-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/3448-13-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-12-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-8-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-7-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-37-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-16-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-10-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-11-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-4-0x0000000002FE0000-0x0000000002FE1000-memory.dmpFilesize
4KB
-
memory/3448-6-0x00007FF8CC2DA000-0x00007FF8CC2DB000-memory.dmpFilesize
4KB
-
memory/3448-15-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-9-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-14-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-25-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3448-27-0x00007FF8CCF10000-0x00007FF8CCF20000-memory.dmpFilesize
64KB
-
memory/3448-26-0x00000000010E0000-0x00000000010E7000-memory.dmpFilesize
28KB
-
memory/3496-69-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3496-63-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3496-66-0x000001F9266A0000-0x000001F9266A7000-memory.dmpFilesize
28KB
-
memory/3856-52-0x0000000140000000-0x000000014014A000-memory.dmpFilesize
1.3MB
-
memory/3856-49-0x00000254209E0000-0x00000254209E7000-memory.dmpFilesize
28KB
-
memory/3856-46-0x0000000140000000-0x000000014014A000-memory.dmpFilesize
1.3MB