Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 17:53
Static task
static1
Behavioral task
behavioral1
Sample
4c5464886e6c66edad677dddc6606f1f_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
4c5464886e6c66edad677dddc6606f1f_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
4c5464886e6c66edad677dddc6606f1f
-
SHA1
0b422d84ce42e2d925cfb03c21e03cf52c80c99d
-
SHA256
c16e01bd1c034e16aa5459108ac9894a175f8e9754e1e360f81e0c8ddf720a94
-
SHA512
57db43d75b4f3354a9e77a4a4b40086094fb0501f76132c007fa64cb1355b952f8d7258de0460b4646250fb2d2073bf34a50be7d23498e6a09d0065045624652
-
SSDEEP
24576:NuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:H9cKrUqZWLAcU
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3436-4-0x0000000003020000-0x0000000003021000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
iexpress.exeDWWIN.EXESystemPropertiesAdvanced.exepid process 2932 iexpress.exe 4016 DWWIN.EXE 4964 SystemPropertiesAdvanced.exe -
Loads dropped DLL 3 IoCs
Processes:
iexpress.exeDWWIN.EXESystemPropertiesAdvanced.exepid process 2932 iexpress.exe 4016 DWWIN.EXE 4964 SystemPropertiesAdvanced.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Jj0\\DWWIN.EXE" -
Processes:
DWWIN.EXESystemPropertiesAdvanced.exerundll32.exeiexpress.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3156 rundll32.exe 3156 rundll32.exe 3156 rundll32.exe 3156 rundll32.exe 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3436 wrote to memory of 1196 3436 iexpress.exe PID 3436 wrote to memory of 1196 3436 iexpress.exe PID 3436 wrote to memory of 2932 3436 iexpress.exe PID 3436 wrote to memory of 2932 3436 iexpress.exe PID 3436 wrote to memory of 1144 3436 DWWIN.EXE PID 3436 wrote to memory of 1144 3436 DWWIN.EXE PID 3436 wrote to memory of 4016 3436 DWWIN.EXE PID 3436 wrote to memory of 4016 3436 DWWIN.EXE PID 3436 wrote to memory of 1500 3436 SystemPropertiesAdvanced.exe PID 3436 wrote to memory of 1500 3436 SystemPropertiesAdvanced.exe PID 3436 wrote to memory of 4964 3436 SystemPropertiesAdvanced.exe PID 3436 wrote to memory of 4964 3436 SystemPropertiesAdvanced.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c5464886e6c66edad677dddc6606f1f_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵PID:1196
-
C:\Users\Admin\AppData\Local\tDqov57Z\iexpress.exeC:\Users\Admin\AppData\Local\tDqov57Z\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:1144
-
C:\Users\Admin\AppData\Local\DZ1GYNyr\DWWIN.EXEC:\Users\Admin\AppData\Local\DZ1GYNyr\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4016
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:1500
-
C:\Users\Admin\AppData\Local\gOLI9nr\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\gOLI9nr\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\DZ1GYNyr\DWWIN.EXEFilesize
229KB
MD5444cc4d3422a0fdd45c1b78070026c60
SHA197162ff341fff1ec54b827ec02f8b86fd2d41a97
SHA2564b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0
SHA51221742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553
-
C:\Users\Admin\AppData\Local\DZ1GYNyr\wer.dllFilesize
1.2MB
MD5ff168cd4b58f4f0b14b1d63f6476a80f
SHA15a720045f2d0ba93f8762728d704ca76ae35af07
SHA256a303487a27eafaa60b4c9bb4621284b93b6ee403b453442841d245415faa75e9
SHA512bc422fa05ee844b97aaf0ba8bf7552587a58594d883029216fd343325a559fdb33bbb2c5fbcba22e389f719229b660467e60489e75b1b6bbf22d382a3ef28ba1
-
C:\Users\Admin\AppData\Local\gOLI9nr\SYSDM.CPLFilesize
1.2MB
MD596e0d25dbe4c94c3b1320bf65cd9ac09
SHA18e5f69c2a39462005b3db69d84b172bb1191a569
SHA2569eabd12a629240eb274a3d925a661438644427d6d763e201679c819a7ba6ec0e
SHA512b3ad5b537816d0c3ed6e6090cb34b84dc089537647910adbadc90ffc566b620238884de869606a27a2c6f9041ac8e54c921b338d48a3c4619038729471ead40b
-
C:\Users\Admin\AppData\Local\gOLI9nr\SystemPropertiesAdvanced.exeFilesize
82KB
MD5fa040b18d2d2061ab38cf4e52e753854
SHA1b1b37124e9afd6c860189ce4d49cebbb2e4c57bc
SHA256c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c
SHA512511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4
-
C:\Users\Admin\AppData\Local\tDqov57Z\VERSION.dllFilesize
1.2MB
MD538a3953bee34f94d77c38e8b6430d378
SHA1c429cde7d9e99f2b54c1afed35348aedee572989
SHA2562c5d3ca0a374a95610fa86eb971799477f28cad0bfebe35baf16ae7c3690ee01
SHA512ed959b8e7ba882f2e61db77a4c665737638db0e41d2e5aca22473a64d7b08e26b1bc99010ef83fccf6a1dc0bf343ea47f2d9a9796fb59b1ce370df17f3fc1096
-
C:\Users\Admin\AppData\Local\tDqov57Z\iexpress.exeFilesize
166KB
MD517b93a43e25d821d01af40ba6babcc8c
SHA197c978d78056d995f751dfef1388d7cce4cc404a
SHA256d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3
SHA5126b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnkFilesize
1KB
MD5488e301fce683cf87b9061adee71cad3
SHA163102dee170ff884f673c6766cc0c1471c1791bc
SHA256b7fb24ae4f73987034c1bb85638ba29713f98f8ff9bd108dc6342e2eb0d31c31
SHA51237a1b5b0afb8194aadc5ec5ca3464040d7003db9d6961ba75064c33d6a1a057addb20322785eb5b4c4da7344c11d5d36308de4e8b08bed8938de2f1e80942341
-
memory/2932-54-0x00007FF841F20000-0x00007FF842055000-memory.dmpFilesize
1.2MB
-
memory/2932-48-0x00007FF841F20000-0x00007FF842055000-memory.dmpFilesize
1.2MB
-
memory/2932-51-0x00000195EBCB0000-0x00000195EBCB7000-memory.dmpFilesize
28KB
-
memory/3156-41-0x00007FF850EC0000-0x00007FF850FF4000-memory.dmpFilesize
1.2MB
-
memory/3156-3-0x0000019497880000-0x0000019497887000-memory.dmpFilesize
28KB
-
memory/3156-0-0x00007FF850EC0000-0x00007FF850FF4000-memory.dmpFilesize
1.2MB
-
memory/3436-19-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-18-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-12-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-11-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-9-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-8-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-7-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-10-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-14-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-16-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-17-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-13-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-27-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-39-0x00000000010D0000-0x00000000010D7000-memory.dmpFilesize
28KB
-
memory/3436-40-0x00007FF85F950000-0x00007FF85F960000-memory.dmpFilesize
64KB
-
memory/3436-36-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3436-4-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/3436-6-0x00007FF85F16A000-0x00007FF85F16B000-memory.dmpFilesize
4KB
-
memory/3436-15-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/4016-71-0x00007FF841F20000-0x00007FF842056000-memory.dmpFilesize
1.2MB
-
memory/4016-66-0x00007FF841F20000-0x00007FF842056000-memory.dmpFilesize
1.2MB
-
memory/4016-65-0x000001E9E8EE0000-0x000001E9E8EE7000-memory.dmpFilesize
28KB
-
memory/4964-82-0x0000025361CE0000-0x0000025361CE7000-memory.dmpFilesize
28KB
-
memory/4964-88-0x00007FF841F20000-0x00007FF842055000-memory.dmpFilesize
1.2MB