Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 01:21
Static task
static1
Behavioral task
behavioral1
Sample
4de1802eeeb526cee64cf6946d1bdc4a_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
4de1802eeeb526cee64cf6946d1bdc4a_JaffaCakes118.dll
-
Size
994KB
-
MD5
4de1802eeeb526cee64cf6946d1bdc4a
-
SHA1
79f7ba91361abcca592416d8b408c83249b40547
-
SHA256
e167ea16a662e535c35f519dc669ea9ce70c91bff456e0fd6738fb62ea42fb2c
-
SHA512
11ede8d741dd2a7ee9c3d32800ac88a8075bf4b9dce83ede1f9285bb5b9acf80455564428d9f1599d505b2e8a8e7fa1bcef5983a2675e2ff7d0eb6a6b44fbbd6
-
SSDEEP
24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3388-4-0x00000000023D0000-0x00000000023D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
cmstp.exeRecoveryDrive.exewbengine.exepid process 4348 cmstp.exe 3812 RecoveryDrive.exe 1720 wbengine.exe -
Loads dropped DLL 4 IoCs
Processes:
cmstp.exeRecoveryDrive.exewbengine.exepid process 4348 cmstp.exe 4348 cmstp.exe 3812 RecoveryDrive.exe 1720 wbengine.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\VaoOv6KG\\RECOVE~1.EXE" -
Processes:
cmstp.exeRecoveryDrive.exewbengine.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RecoveryDrive.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4688 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3388 wrote to memory of 2800 3388 cmstp.exe PID 3388 wrote to memory of 2800 3388 cmstp.exe PID 3388 wrote to memory of 4348 3388 cmstp.exe PID 3388 wrote to memory of 4348 3388 cmstp.exe PID 3388 wrote to memory of 4460 3388 RecoveryDrive.exe PID 3388 wrote to memory of 4460 3388 RecoveryDrive.exe PID 3388 wrote to memory of 3812 3388 RecoveryDrive.exe PID 3388 wrote to memory of 3812 3388 RecoveryDrive.exe PID 3388 wrote to memory of 3364 3388 wbengine.exe PID 3388 wrote to memory of 3364 3388 wbengine.exe PID 3388 wrote to memory of 1720 3388 wbengine.exe PID 3388 wrote to memory of 1720 3388 wbengine.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4de1802eeeb526cee64cf6946d1bdc4a_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4688
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:2800
-
C:\Users\Admin\AppData\Local\XPcnJFHOY\cmstp.exeC:\Users\Admin\AppData\Local\XPcnJFHOY\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4348
-
C:\Windows\system32\RecoveryDrive.exeC:\Windows\system32\RecoveryDrive.exe1⤵PID:4460
-
C:\Users\Admin\AppData\Local\cCnkr\RecoveryDrive.exeC:\Users\Admin\AppData\Local\cCnkr\RecoveryDrive.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3812
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:3364
-
C:\Users\Admin\AppData\Local\XVU\wbengine.exeC:\Users\Admin\AppData\Local\XVU\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\XPcnJFHOY\VERSION.dllFilesize
995KB
MD587d91faea4e81d9f28a03277ca691111
SHA1478cc35381b33ad25f771fac8792c5dbb6de678e
SHA2560e11009a7db215cb6eac978a481ad5ad21f422087bafd7b61fc5e2eb5a0c229a
SHA512e6c2ab09d087aa4466332a7297122b6845a735ce7c2c2ada785591e17000a555295c52797d5b7d73069730d0712a9761d0e8fab3274b09938ffde1df296ae57f
-
C:\Users\Admin\AppData\Local\XPcnJFHOY\cmstp.exeFilesize
96KB
MD54cc43fe4d397ff79fa69f397e016df52
SHA18fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157
-
C:\Users\Admin\AppData\Local\XVU\SPP.dllFilesize
994KB
MD554a2ace00d82c7b5a988e1af75a600ec
SHA1884cc24de799c44b97ea3b267454ce511829db33
SHA25606b39e58d8957937afaeab2818338ce595808aa5f1c9bf86db5e8d8793894722
SHA5125b76db9e2486d58faf37de755c1d6b6010256ff666e464dc987c25cd8a9c64255b1239202ef343dea480bc906ce5c684f13fbbb8d4fb459f83b38cf0ffdc579f
-
C:\Users\Admin\AppData\Local\XVU\wbengine.exeFilesize
1.5MB
MD517270a354a66590953c4aac1cf54e507
SHA1715babcc8e46b02ac498f4f06df7937904d9798d
SHA2569954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4
SHA5126be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89
-
C:\Users\Admin\AppData\Local\cCnkr\ReAgent.dllFilesize
996KB
MD515f6adae87013aa0cf7c3d9fe66255a4
SHA190efbc1294a0eff99a729223f6ccc7b243ceb438
SHA25614bc3adb79291d84915a6e6aa1a0cfcceee234e4b8da26eb4b7b82676d512b5a
SHA512b21d9716a6b785ed5b9e9f36b3ea882e14d0149b10746ed733db8f97b5f28e15f58c7db53cc0654e9dac3d56eef79a67d57b6e02a9064ae99b1b4a6c239783d7
-
C:\Users\Admin\AppData\Local\cCnkr\RecoveryDrive.exeFilesize
911KB
MD5b9b3dc6f2eb89e41ff27400952602c74
SHA124ae07e0db3ace0809d08bbd039db3a9d533e81b
SHA256630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4
SHA5127906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zgbuverbplpthj.lnkFilesize
1KB
MD5b29c5216ead50ccea39d78efccfd8a8e
SHA1e34ab9d63d445504c1d3a11cd93abe9038a0d53e
SHA2565bf32e2da5042a1402768d25f94d9d03def86e229478df16e1610485e5426d71
SHA512021eb74ec096113272941b80f678b8f5a670dc6a612b54d01cd17da800241a7a794a9d5487ffeeb4fb3e61031ccc7320392d80fb3c5d059b37f5b3aa5b655831
-
memory/1720-84-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/3388-8-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3388-7-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3388-13-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3388-11-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3388-10-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3388-9-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3388-4-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/3388-22-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3388-6-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3388-31-0x0000000000550000-0x0000000000557000-memory.dmpFilesize
28KB
-
memory/3388-34-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3388-30-0x00007FFA14D2A000-0x00007FFA14D2B000-memory.dmpFilesize
4KB
-
memory/3388-12-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3388-32-0x00007FFA16BB0000-0x00007FFA16BC0000-memory.dmpFilesize
64KB
-
memory/3812-68-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/3812-62-0x0000019E2D190000-0x0000019E2D197000-memory.dmpFilesize
28KB
-
memory/4348-45-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/4348-51-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/4348-48-0x0000021F826B0000-0x0000021F826B7000-memory.dmpFilesize
28KB
-
memory/4688-37-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/4688-0-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/4688-3-0x000001F394C10000-0x000001F394C17000-memory.dmpFilesize
28KB