Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 18:46
Static task
static1
Behavioral task
behavioral1
Sample
6bea9c1a003870ad52df8b2eb97fe986_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
6bea9c1a003870ad52df8b2eb97fe986_JaffaCakes118.dll
-
Size
1.4MB
-
MD5
6bea9c1a003870ad52df8b2eb97fe986
-
SHA1
06ba82c8b99a00e35eee2bdda767680958e14cb8
-
SHA256
a4028b0f6604c7aeecc2330ee67997f99ffe70e21215f9aeedf017967be7d9e2
-
SHA512
2756a44868022d3706703628aba56cc8b2ce687e0adace62248b33576fed7b7d9d289a33aa3cae5e16120d3504f8d57d770cd503ce3d35674d76fe004c296689
-
SSDEEP
24576:RVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:RV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1136-5-0x00000000024F0000-0x00000000024F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
VaultSysUi.exeSystemPropertiesDataExecutionPrevention.exeStikyNot.exepid process 2444 VaultSysUi.exe 1488 SystemPropertiesDataExecutionPrevention.exe 2112 StikyNot.exe -
Loads dropped DLL 8 IoCs
Processes:
VaultSysUi.exeSystemPropertiesDataExecutionPrevention.exeStikyNot.exepid process 1136 1136 2444 VaultSysUi.exe 1136 1488 SystemPropertiesDataExecutionPrevention.exe 1136 2112 StikyNot.exe 1136 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gdussggr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\kn\\SystemPropertiesDataExecutionPrevention.exe" -
Processes:
rundll32.exeVaultSysUi.exeSystemPropertiesDataExecutionPrevention.exeStikyNot.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VaultSysUi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StikyNot.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1136 wrote to memory of 2712 1136 VaultSysUi.exe PID 1136 wrote to memory of 2712 1136 VaultSysUi.exe PID 1136 wrote to memory of 2712 1136 VaultSysUi.exe PID 1136 wrote to memory of 2444 1136 VaultSysUi.exe PID 1136 wrote to memory of 2444 1136 VaultSysUi.exe PID 1136 wrote to memory of 2444 1136 VaultSysUi.exe PID 1136 wrote to memory of 1584 1136 SystemPropertiesDataExecutionPrevention.exe PID 1136 wrote to memory of 1584 1136 SystemPropertiesDataExecutionPrevention.exe PID 1136 wrote to memory of 1584 1136 SystemPropertiesDataExecutionPrevention.exe PID 1136 wrote to memory of 1488 1136 SystemPropertiesDataExecutionPrevention.exe PID 1136 wrote to memory of 1488 1136 SystemPropertiesDataExecutionPrevention.exe PID 1136 wrote to memory of 1488 1136 SystemPropertiesDataExecutionPrevention.exe PID 1136 wrote to memory of 2540 1136 StikyNot.exe PID 1136 wrote to memory of 2540 1136 StikyNot.exe PID 1136 wrote to memory of 2540 1136 StikyNot.exe PID 1136 wrote to memory of 2112 1136 StikyNot.exe PID 1136 wrote to memory of 2112 1136 StikyNot.exe PID 1136 wrote to memory of 2112 1136 StikyNot.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6bea9c1a003870ad52df8b2eb97fe986_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
C:\Windows\system32\VaultSysUi.exeC:\Windows\system32\VaultSysUi.exe1⤵PID:2712
-
C:\Users\Admin\AppData\Local\nFRD4N1\VaultSysUi.exeC:\Users\Admin\AppData\Local\nFRD4N1\VaultSysUi.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2444
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:1584
-
C:\Users\Admin\AppData\Local\3Db9GhJ7k\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\3Db9GhJ7k\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1488
-
C:\Windows\system32\StikyNot.exeC:\Windows\system32\StikyNot.exe1⤵PID:2540
-
C:\Users\Admin\AppData\Local\HDSH\StikyNot.exeC:\Users\Admin\AppData\Local\HDSH\StikyNot.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\3Db9GhJ7k\SYSDM.CPLFilesize
1.4MB
MD5b0d50630eb998f83054a56b2b5e51e35
SHA1c1d2233964041cc552ba3f904d3f12fc925fae3a
SHA2569d6e62b32291d4a5ac3fc66902c3fa3df665bb4d315cdf1349abd561457b3f18
SHA51217a237c51fde5d49e6c1299497c4f7d70e15ca63e954130e1cc3f040407e6add42b4d622344fd67cd0dc6ad8acf70b6f877f85d6cfe1a11a268e372231fd792b
-
C:\Users\Admin\AppData\Local\HDSH\DUI70.dllFilesize
1.6MB
MD5077c0714a1eba8306734ca0f771f58e2
SHA1590b07bd6db20d31567236d637c52364bea71580
SHA256aad700a7d3484253f5b37bd4d2ef33708e25c42e40702b9780273474c4a43ecc
SHA5124f8dfaf8f1a68022af62b256e0ec2e9f6071eba1a6c617aa9ed0fac5685bc40fbc5ccb86b8730f49899323faebbf771d872b6ebbd0a47ed9e72861a6d7c042b8
-
C:\Users\Admin\AppData\Local\nFRD4N1\credui.dllFilesize
1.4MB
MD5a549ba68efd613cf2dfe6efb32ec8e91
SHA1fa12657d92a8db89fda71361c6d0475d921bb0cc
SHA25688c68adeebafd26421d575071470b961b936d9406db60d9ee5fc020f63a49d42
SHA51244dac0ec822bc8538b886d63c3854a453c78037216df2ccd2923d35e317e437cbb59e1208f4f01dd6bce60ab147496d00b417871647743e283fc8adc3e9d3cb7
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Smfbypnq.lnkFilesize
1KB
MD53dbf3b8b6098b4d1f1b44690ea9e8631
SHA187045fc80581b807ff16a96b1c6d87be66763424
SHA25619b9c0218a2d7064807ad00a64b73e307e1d03095305a15ac9309bc6e5db55c7
SHA51279fe91b42114aa36659e82ced011ed8a65933dde377ccd94192fbe5e4450bfc67bdb39e60d1c35ec140d0cfdc2e5e4adf022fb53b5f2e2af7702c432a9612b1f
-
\Users\Admin\AppData\Local\3Db9GhJ7k\SystemPropertiesDataExecutionPrevention.exeFilesize
80KB
MD5e43ff7785fac643093b3b16a9300e133
SHA1a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA51261260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a
-
\Users\Admin\AppData\Local\HDSH\StikyNot.exeFilesize
417KB
MD5b22cb67919ebad88b0e8bb9cda446010
SHA1423a794d26d96d9f812d76d75fa89bffdc07d468
SHA2562f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5
-
\Users\Admin\AppData\Local\nFRD4N1\VaultSysUi.exeFilesize
39KB
MD5f40ef105d94350d36c799ee23f7fec0f
SHA1ee3a5cfe8b807e1c1718a27eb97fa134360816e3
SHA256eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2
SHA512f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1
-
memory/1136-24-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-27-0x0000000077930000-0x0000000077932000-memory.dmpFilesize
8KB
-
memory/1136-4-0x0000000077596000-0x0000000077597000-memory.dmpFilesize
4KB
-
memory/1136-15-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-26-0x00000000777A1000-0x00000000777A2000-memory.dmpFilesize
4KB
-
memory/1136-14-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-13-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-11-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-9-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-67-0x0000000077596000-0x0000000077597000-memory.dmpFilesize
4KB
-
memory/1136-36-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-38-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-5-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/1136-10-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-12-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-25-0x00000000024D0000-0x00000000024D7000-memory.dmpFilesize
28KB
-
memory/1136-8-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1136-7-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1488-80-0x0000000140000000-0x0000000140176000-memory.dmpFilesize
1.5MB
-
memory/1488-75-0x0000000000190000-0x0000000000197000-memory.dmpFilesize
28KB
-
memory/1632-45-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1632-0-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/1632-3-0x0000000000120000-0x0000000000127000-memory.dmpFilesize
28KB
-
memory/2112-95-0x0000000000290000-0x0000000000297000-memory.dmpFilesize
28KB
-
memory/2112-92-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/2112-98-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/2444-62-0x0000000140000000-0x0000000140176000-memory.dmpFilesize
1.5MB
-
memory/2444-58-0x0000000140000000-0x0000000140176000-memory.dmpFilesize
1.5MB
-
memory/2444-56-0x0000000000100000-0x0000000000107000-memory.dmpFilesize
28KB