Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 00:00
Static task
static1
Behavioral task
behavioral1
Sample
6546ef01ad7cf5ea8767ca35e0a9497d_JaffaCakes118.dll
Resource
win7-20240220-en
General
-
Target
6546ef01ad7cf5ea8767ca35e0a9497d_JaffaCakes118.dll
-
Size
989KB
-
MD5
6546ef01ad7cf5ea8767ca35e0a9497d
-
SHA1
8302c377caccf0332af3c94ef45217a929b61110
-
SHA256
c9d45c41ecba0e13d08bea6b3393cf730d02482f0923b754a2ab72b9ea9ee361
-
SHA512
135fc8029dfdcd91fd5ec72b65a8fdd2a240f0627116530cc6fc878045dbce0c92f96d78f2b6faa645a98ae0f3024261199369b59a7b2bd6cb72210172362b24
-
SSDEEP
24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1192-5-0x0000000002510000-0x0000000002511000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rstrui.exesigverif.exenotepad.exepid process 2420 rstrui.exe 1524 sigverif.exe 1872 notepad.exe -
Loads dropped DLL 7 IoCs
Processes:
rstrui.exesigverif.exenotepad.exepid process 1192 2420 rstrui.exe 1192 1524 sigverif.exe 1192 1872 notepad.exe 1192 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ydmmtcuy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\IG\\sigverif.exe" -
Processes:
notepad.exerundll32.exerstrui.exesigverif.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rstrui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3036 rundll32.exe 3036 rundll32.exe 3036 rundll32.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1192 wrote to memory of 2372 1192 rstrui.exe PID 1192 wrote to memory of 2372 1192 rstrui.exe PID 1192 wrote to memory of 2372 1192 rstrui.exe PID 1192 wrote to memory of 2420 1192 rstrui.exe PID 1192 wrote to memory of 2420 1192 rstrui.exe PID 1192 wrote to memory of 2420 1192 rstrui.exe PID 1192 wrote to memory of 1428 1192 sigverif.exe PID 1192 wrote to memory of 1428 1192 sigverif.exe PID 1192 wrote to memory of 1428 1192 sigverif.exe PID 1192 wrote to memory of 1524 1192 sigverif.exe PID 1192 wrote to memory of 1524 1192 sigverif.exe PID 1192 wrote to memory of 1524 1192 sigverif.exe PID 1192 wrote to memory of 2664 1192 notepad.exe PID 1192 wrote to memory of 2664 1192 notepad.exe PID 1192 wrote to memory of 2664 1192 notepad.exe PID 1192 wrote to memory of 1872 1192 notepad.exe PID 1192 wrote to memory of 1872 1192 notepad.exe PID 1192 wrote to memory of 1872 1192 notepad.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6546ef01ad7cf5ea8767ca35e0a9497d_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3036
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:2372
-
C:\Users\Admin\AppData\Local\bwc\rstrui.exeC:\Users\Admin\AppData\Local\bwc\rstrui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2420
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵PID:1428
-
C:\Users\Admin\AppData\Local\iXpEZu\sigverif.exeC:\Users\Admin\AppData\Local\iXpEZu\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1524
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe1⤵PID:2664
-
C:\Users\Admin\AppData\Local\T7zD\notepad.exeC:\Users\Admin\AppData\Local\T7zD\notepad.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\T7zD\notepad.exeFilesize
189KB
MD5f2c7bb8acc97f92e987a2d4087d021b1
SHA17eb0139d2175739b3ccb0d1110067820be6abd29
SHA256142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2
SHA5122f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8
-
C:\Users\Admin\AppData\Local\bwc\SPP.dllFilesize
990KB
MD5443fab4ad9d329449bfe1eadb91b0556
SHA12d4f659f8a6ca4f77ed5ef71b6456c6ce03d6a2c
SHA2567cbdb6ff5d0daf4349c894b954b16734c3a3cbdcd7795d0b6b20da915f8d941a
SHA5124b6e7c50dfade08e52bf4e5cfe3ef24cf62efba11ac9234d89087464f447356d4db6d4fc61703fb948789da1c4b29d74543c6698484f13db7e2d93a996ec737c
-
C:\Users\Admin\AppData\Local\bwc\rstrui.exeFilesize
290KB
MD53db5a1eace7f3049ecc49fa64461e254
SHA17dc64e4f75741b93804cbae365e10dc70592c6a9
SHA256ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49
SHA512ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025
-
C:\Users\Admin\AppData\Local\iXpEZu\VERSION.dllFilesize
990KB
MD5e380ea41db1a81b8e6ff5f6ad78b4ad6
SHA1e4422052eb1952365f3ac944af07241543fff4ab
SHA2568eff13894d1fe7b2d50e64973f1518f1e46a182c62e787b3246c197ea6fe27d5
SHA5123c263a722371d37d825b6c43e426b9d8ef8d304bf705f38fe16c45c4520c74adf30f916b710968e5ff5ee9a07e8333e6e96de9c73e82d4e4c22e58c96ac9a229
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piadwmdtymfdd.lnkFilesize
1KB
MD591b0677b40ba9b96adc9a8c6f6aff327
SHA1990582b0589400b1a26268c40addec79c7af34f1
SHA256848e86137c6a20814d072bcb83215f4be965afc84e50095d5010abf89af90fe0
SHA512e40bf63345a5660e67be21896e569cc8cb3fb560bd8cf66b215ad285a9bcecc877ece55a0600d8ee32d180e163ea430b0a99abdb2b05c42953ff673b8b83d957
-
\Users\Admin\AppData\Local\T7zD\VERSION.dllFilesize
990KB
MD5bc0d890e69e3b085e9b0978f7cf02314
SHA12b7b59261e233b0dc7262778fa4b1fdd9427a804
SHA2569b7bfb6616b7db7fd1fde834c0d8200d2426dca5dbeb58c6d215ef1f5b134d83
SHA512bba7bdbbf420703fe7495dd0a707c5b9c1469c773b6515a1ccdcc728b9de5816a475860e45d9325b601d5fdb77988f5a445336734880a4fa47ec29df222161be
-
\Users\Admin\AppData\Local\iXpEZu\sigverif.exeFilesize
73KB
MD5e8e95ae5534553fc055051cee99a7f55
SHA14e0f668849fd546edd083d5981ed685d02a68df4
SHA2569e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA5125d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6
-
memory/1192-35-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-23-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-25-0x00000000771F1000-0x00000000771F2000-memory.dmpFilesize
4KB
-
memory/1192-26-0x0000000077380000-0x0000000077382000-memory.dmpFilesize
8KB
-
memory/1192-4-0x00000000770E6000-0x00000000770E7000-memory.dmpFilesize
4KB
-
memory/1192-36-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-5-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/1192-24-0x00000000024F0000-0x00000000024F7000-memory.dmpFilesize
28KB
-
memory/1192-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-63-0x00000000770E6000-0x00000000770E7000-memory.dmpFilesize
4KB
-
memory/1524-74-0x00000000000A0000-0x00000000000A7000-memory.dmpFilesize
28KB
-
memory/1524-77-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/1872-90-0x0000000000290000-0x0000000000297000-memory.dmpFilesize
28KB
-
memory/1872-95-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2420-58-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2420-55-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/2420-52-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3036-44-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3036-3-0x00000000002A0000-0x00000000002A7000-memory.dmpFilesize
28KB
-
memory/3036-0-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB