Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 06:02
Static task
static1
Behavioral task
behavioral1
Sample
58e75416d4ee4a278611094fcb4415b3_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
58e75416d4ee4a278611094fcb4415b3_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
58e75416d4ee4a278611094fcb4415b3
-
SHA1
cafe586e68798b0daf27326fef300343cb1b223b
-
SHA256
e23c41349eeefc69c4c1f27fd1571d6fc0c6b23ef1e226ae7987399748d9f993
-
SHA512
be53b9e6b09e6dbc8511accf9164ab7f58492533c5e4e916c34803dc1bb4950e8bf00ab0b29c82d1002d4882e5630f7987b15c5ab8104c500c499f643a64f22c
-
SSDEEP
24576:RVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:RV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1204-5-0x0000000002E00000-0x0000000002E01000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
DeviceDisplayObjectProvider.exedccw.exerdpshell.exepid process 2464 DeviceDisplayObjectProvider.exe 1944 dccw.exe 3004 rdpshell.exe -
Loads dropped DLL 7 IoCs
Processes:
DeviceDisplayObjectProvider.exedccw.exerdpshell.exepid process 1204 2464 DeviceDisplayObjectProvider.exe 1204 1944 dccw.exe 1204 3004 rdpshell.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\Pc1HH\\dccw.exe" -
Processes:
rundll32.exeDeviceDisplayObjectProvider.exedccw.exerdpshell.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceDisplayObjectProvider.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dccw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2944 rundll32.exe 2944 rundll32.exe 2944 rundll32.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1204 wrote to memory of 2472 1204 DeviceDisplayObjectProvider.exe PID 1204 wrote to memory of 2472 1204 DeviceDisplayObjectProvider.exe PID 1204 wrote to memory of 2472 1204 DeviceDisplayObjectProvider.exe PID 1204 wrote to memory of 2464 1204 DeviceDisplayObjectProvider.exe PID 1204 wrote to memory of 2464 1204 DeviceDisplayObjectProvider.exe PID 1204 wrote to memory of 2464 1204 DeviceDisplayObjectProvider.exe PID 1204 wrote to memory of 2608 1204 dccw.exe PID 1204 wrote to memory of 2608 1204 dccw.exe PID 1204 wrote to memory of 2608 1204 dccw.exe PID 1204 wrote to memory of 1944 1204 dccw.exe PID 1204 wrote to memory of 1944 1204 dccw.exe PID 1204 wrote to memory of 1944 1204 dccw.exe PID 1204 wrote to memory of 3032 1204 rdpshell.exe PID 1204 wrote to memory of 3032 1204 rdpshell.exe PID 1204 wrote to memory of 3032 1204 rdpshell.exe PID 1204 wrote to memory of 3004 1204 rdpshell.exe PID 1204 wrote to memory of 3004 1204 rdpshell.exe PID 1204 wrote to memory of 3004 1204 rdpshell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\58e75416d4ee4a278611094fcb4415b3_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
C:\Windows\system32\DeviceDisplayObjectProvider.exeC:\Windows\system32\DeviceDisplayObjectProvider.exe1⤵PID:2472
-
C:\Users\Admin\AppData\Local\WYG0v\DeviceDisplayObjectProvider.exeC:\Users\Admin\AppData\Local\WYG0v\DeviceDisplayObjectProvider.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2464
-
C:\Windows\system32\dccw.exeC:\Windows\system32\dccw.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Z3tEh4iDC\dccw.exeC:\Users\Admin\AppData\Local\Z3tEh4iDC\dccw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1944
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵PID:3032
-
C:\Users\Admin\AppData\Local\oYwKIUi\rdpshell.exeC:\Users\Admin\AppData\Local\oYwKIUi\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\WYG0v\XmlLite.dllFilesize
1.2MB
MD530604e0cefbec4a7bf7603256ce2874e
SHA1968c3b47c1c01312ebd8c0ef10a1dabaa6c77299
SHA25647581d306a0bd44fbbfaed7ebdb460e9efabef7a4401a4ceb2fcd0e673ec857f
SHA51275eedbdaa163055bd63241b1906db6bc42d3edd6f9694930f77f21a2d9ec2f0455f065bfd23713289649fbc964a7cbe2d473f95d9cda2526920876b18238522b
-
C:\Users\Admin\AppData\Local\Z3tEh4iDC\dxva2.dllFilesize
1.2MB
MD5d5fdff61adad2d479d1d10162da7befe
SHA1ef4155a17fc4bbb93307be627ae5e82c6cf94574
SHA256899ce63dd8745f575af7dfbd3adc98180bd067fe9211e715a87c451185648117
SHA512ec9f3366ee0000b43e9a4e6c5278522fc09c22cb409980de428a92c77df01fde67c5e90a4bcfd0da341bdd995875ee17574ef2b948934c8930cb2f711d7d45ad
-
C:\Users\Admin\AppData\Local\oYwKIUi\WINSTA.dllFilesize
1.2MB
MD5d6e61307b22b1f1185a971d7b07b054f
SHA131de13fa126e0d8fb7399b6805c25283111bc105
SHA256521120d179fb20fd18b34f7bccd06fb8d78f054a243b09fccb9dd5a969d64cb6
SHA512e3b4276c31fb9d4f124d587be5596a19a1b06ab6819cf8c9afd30da119d5e5acaa898777eab9ba14e0f79bbb7bd97916caf4352217741315b88e8910990ca317
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnkFilesize
1KB
MD502f7607369b5cc875c5ac603b901dd4e
SHA118b5bc65b8ac517ce19cb4dfbb78c7a74fbacfae
SHA256b5c35057228a0fbc16744d6eaf526a6258948e0272e239f8a583d4ba523bdaf9
SHA512205b558bf21e49274a5f149bf18544ee28ac39723c710c90bf06018a54bea261fdd8b987e4f05b3e31b7910e95ae37ef671076a0e4b188ceabb2dc4a74b9e02d
-
\Users\Admin\AppData\Local\WYG0v\DeviceDisplayObjectProvider.exeFilesize
109KB
MD57e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf
-
\Users\Admin\AppData\Local\Z3tEh4iDC\dccw.exeFilesize
861KB
MD5a46cee731351eb4146db8e8a63a5c520
SHA18ea441e4a77642e12987ac842b36034230edd731
SHA256283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5
SHA5123573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc
-
\Users\Admin\AppData\Local\oYwKIUi\rdpshell.exeFilesize
292KB
MD5a62dfcea3a58ba8fcf32f831f018fe3f
SHA175f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b
SHA256f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e
SHA5129a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603
-
memory/1204-26-0x0000000077471000-0x0000000077472000-memory.dmpFilesize
4KB
-
memory/1204-24-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-15-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-14-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-13-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-12-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-11-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-9-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-27-0x0000000077600000-0x0000000077602000-memory.dmpFilesize
8KB
-
memory/1204-4-0x0000000077266000-0x0000000077267000-memory.dmpFilesize
4KB
-
memory/1204-36-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-37-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-5-0x0000000002E00000-0x0000000002E01000-memory.dmpFilesize
4KB
-
memory/1204-25-0x0000000002AF0000-0x0000000002AF7000-memory.dmpFilesize
28KB
-
memory/1204-7-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-8-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-10-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1204-64-0x0000000077266000-0x0000000077267000-memory.dmpFilesize
4KB
-
memory/1944-72-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/1944-78-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/2464-59-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/2464-54-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/2464-53-0x0000000000470000-0x0000000000477000-memory.dmpFilesize
28KB
-
memory/2944-45-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/2944-0-0x0000000000120000-0x0000000000127000-memory.dmpFilesize
28KB
-
memory/2944-1-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/3004-90-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/3004-95-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB