Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
5bbc3a414ecfee5ef1ad3915de9e7275_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
5bbc3a414ecfee5ef1ad3915de9e7275_JaffaCakes118.dll
-
Size
990KB
-
MD5
5bbc3a414ecfee5ef1ad3915de9e7275
-
SHA1
5d7a2f05e453beca108e0aad77c56716d1aec5c2
-
SHA256
095248ed3b37a6a13dc0e755bc6480e04b9c6c7f21f05b7c7de8669da2378a91
-
SHA512
2eeb33941202ca5f5f9b592da09d63e9632c460b35eadd1ace0835439e47c5a92388096dd6cb8afd3aca1a584e7a7215f9f5d7589b990246c60c54c9b03418b5
-
SSDEEP
24576:iVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:iV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3448-4-0x00000000028F0000-0x00000000028F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
sigverif.exeeudcedit.exeSystemPropertiesComputerName.exepid process 4280 sigverif.exe 2672 eudcedit.exe 520 SystemPropertiesComputerName.exe -
Loads dropped DLL 3 IoCs
Processes:
sigverif.exeeudcedit.exeSystemPropertiesComputerName.exepid process 4280 sigverif.exe 2672 eudcedit.exe 520 SystemPropertiesComputerName.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bhelxfhv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\Gj9s8rs\\eudcedit.exe" -
Processes:
sigverif.exeeudcedit.exeSystemPropertiesComputerName.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eudcedit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1484 rundll32.exe 1484 rundll32.exe 1484 rundll32.exe 1484 rundll32.exe 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3448 wrote to memory of 3592 3448 sigverif.exe PID 3448 wrote to memory of 3592 3448 sigverif.exe PID 3448 wrote to memory of 4280 3448 sigverif.exe PID 3448 wrote to memory of 4280 3448 sigverif.exe PID 3448 wrote to memory of 2732 3448 eudcedit.exe PID 3448 wrote to memory of 2732 3448 eudcedit.exe PID 3448 wrote to memory of 2672 3448 eudcedit.exe PID 3448 wrote to memory of 2672 3448 eudcedit.exe PID 3448 wrote to memory of 2464 3448 SystemPropertiesComputerName.exe PID 3448 wrote to memory of 2464 3448 SystemPropertiesComputerName.exe PID 3448 wrote to memory of 520 3448 SystemPropertiesComputerName.exe PID 3448 wrote to memory of 520 3448 SystemPropertiesComputerName.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5bbc3a414ecfee5ef1ad3915de9e7275_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1484
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵PID:3592
-
C:\Users\Admin\AppData\Local\57KCMFN2h\sigverif.exeC:\Users\Admin\AppData\Local\57KCMFN2h\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4280
-
C:\Windows\system32\eudcedit.exeC:\Windows\system32\eudcedit.exe1⤵PID:2732
-
C:\Users\Admin\AppData\Local\ARU\eudcedit.exeC:\Users\Admin\AppData\Local\ARU\eudcedit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2672
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:2464
-
C:\Users\Admin\AppData\Local\yO85Kb\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\yO85Kb\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\57KCMFN2h\VERSION.dllFilesize
991KB
MD50cabbf0ab4843f6f32d80dbeaa05a132
SHA178c735e93c09dead343779acd228b5f361764018
SHA25626016b98fefdc552b5f6c93993012309faee0a30eefac362f389561866d45468
SHA512a3b6e6e4c5642fd8be15225636cba69a1f90ebc6c1493b120d33d57ffc6ea493c7c00bd3aff99bdb023fb626e70c2dcc896bb077972557a9497c2cf25f7b25ef
-
C:\Users\Admin\AppData\Local\57KCMFN2h\sigverif.exeFilesize
77KB
MD52151a535274b53ba8a728e542cbc07a8
SHA1a2304c0f2616a7d12298540dce459dd9ccf07443
SHA256064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd
SHA512e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f
-
C:\Users\Admin\AppData\Local\ARU\MFC42u.dllFilesize
1018KB
MD53ac2dbeef4aa0dd21574edc82d70a823
SHA176f8c6c2e750b96fcb8a86e9628befd80b22a3af
SHA2560db1ac77efaf74dbc3fa43aa0420e92ed86d4ca3b30ded0dd484b2b4cf653d49
SHA5129b496a8a6c0e9423da1b7d3a258ab2aab098ef3897810937e1fffa48c0592a3e21706a35a6b6c44f21a04676f30729c39ac73d9fcec4ece763ea774b847b0d80
-
C:\Users\Admin\AppData\Local\ARU\eudcedit.exeFilesize
365KB
MD5a9de6557179d371938fbe52511b551ce
SHA1def460b4028788ded82dc55c36cb0df28599fd5f
SHA25683c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe
SHA5125790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c
-
C:\Users\Admin\AppData\Local\yO85Kb\SYSDM.CPLFilesize
991KB
MD5c97348d61e88998c10344730a593b11c
SHA13ba08275cede19de8fdc9847fe4bacba5c543cb8
SHA25605c791abedcf601262fc5c865e7d03179d893b6dec528177c50ff293eb86625e
SHA5129d84bbe4aed90235d2c4b0ae096d695c7c494f7bc258c5282c8cf4d1fc703030279e37f696b7559eb55176d6402ef1d9412322b06f443749af9d6ef05479f9bb
-
C:\Users\Admin\AppData\Local\yO85Kb\SystemPropertiesComputerName.exeFilesize
82KB
MD56711765f323289f5008a6a2a04b6f264
SHA1d8116fdf73608b4b254ad83c74f2232584d24144
SHA256bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Oabtankaq.lnkFilesize
1KB
MD598b9541c641afbcc974fdd549dcd1bdb
SHA122718393a3c130023538bbca5ed95c1b3627dffa
SHA256249dc04875dad875f0f85a4f13bc68862fc3caec916dffbf9496d1b79918d44a
SHA512b4f90c804733c3def35476b55824a7f0d1e481a6d9a07cf2a9ff5c92b6bdb54507d9f99a7d25fe3d68b03207e22fbcea0b1628c5a5a003e7383511fc4ac1f7ae
-
memory/520-87-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/520-84-0x0000025452370000-0x0000025452377000-memory.dmpFilesize
28KB
-
memory/1484-0-0x000001F0F7F30000-0x000001F0F7F37000-memory.dmpFilesize
28KB
-
memory/1484-38-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/1484-1-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2672-65-0x0000000140000000-0x0000000140104000-memory.dmpFilesize
1.0MB
-
memory/2672-64-0x0000019E84BE0000-0x0000019E84BE7000-memory.dmpFilesize
28KB
-
memory/2672-70-0x0000000140000000-0x0000000140104000-memory.dmpFilesize
1.0MB
-
memory/3448-23-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-26-0x00007FF8F6250000-0x00007FF8F6260000-memory.dmpFilesize
64KB
-
memory/3448-7-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-8-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-9-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-4-0x00000000028F0000-0x00000000028F1000-memory.dmpFilesize
4KB
-
memory/3448-6-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-13-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-10-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-11-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-12-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-14-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-24-0x00007FF8F5A1A000-0x00007FF8F5A1B000-memory.dmpFilesize
4KB
-
memory/3448-35-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3448-25-0x00000000008D0000-0x00000000008D7000-memory.dmpFilesize
28KB
-
memory/4280-51-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/4280-45-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/4280-48-0x0000027725B70000-0x0000027725B77000-memory.dmpFilesize
28KB