Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
6d0edb09621edea7ddd4aba369632419_JaffaCakes118.dll
Resource
win7-20240220-en
General
-
Target
6d0edb09621edea7ddd4aba369632419_JaffaCakes118.dll
-
Size
991KB
-
MD5
6d0edb09621edea7ddd4aba369632419
-
SHA1
90b7eb49388e711347ea0b7541141e6f1c35b4b3
-
SHA256
2ea3c486674229c106c14ef49ebd4b2757963d866c102e90403c3e20fdb69365
-
SHA512
e1be1ee0a45ec79c86751f6ba8f608ff98ca0475758bd28b74e6fabf9ce76f5b1f9d26012419e6547557dc93b6e752403a7415a1f59a6dc188391175bbe4dfe6
-
SSDEEP
24576:yVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:yV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1136-5-0x0000000002D70000-0x0000000002D71000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rekeywiz.exemmc.exeicardagt.exepid process 2384 rekeywiz.exe 2368 mmc.exe 1840 icardagt.exe -
Loads dropped DLL 7 IoCs
Processes:
rekeywiz.exemmc.exeicardagt.exepid process 1136 2384 rekeywiz.exe 1136 2368 mmc.exe 1136 1840 icardagt.exe 1136 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ydmmtcuy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Fxn4Ft\\mmc.exe" -
Processes:
mmc.exeicardagt.exerekeywiz.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mmc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icardagt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rekeywiz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 2184 regsvr32.exe 2184 regsvr32.exe 2184 regsvr32.exe 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1136 wrote to memory of 2436 1136 rekeywiz.exe PID 1136 wrote to memory of 2436 1136 rekeywiz.exe PID 1136 wrote to memory of 2436 1136 rekeywiz.exe PID 1136 wrote to memory of 2384 1136 rekeywiz.exe PID 1136 wrote to memory of 2384 1136 rekeywiz.exe PID 1136 wrote to memory of 2384 1136 rekeywiz.exe PID 1136 wrote to memory of 1844 1136 mmc.exe PID 1136 wrote to memory of 1844 1136 mmc.exe PID 1136 wrote to memory of 1844 1136 mmc.exe PID 1136 wrote to memory of 2368 1136 mmc.exe PID 1136 wrote to memory of 2368 1136 mmc.exe PID 1136 wrote to memory of 2368 1136 mmc.exe PID 1136 wrote to memory of 2560 1136 icardagt.exe PID 1136 wrote to memory of 2560 1136 icardagt.exe PID 1136 wrote to memory of 2560 1136 icardagt.exe PID 1136 wrote to memory of 1840 1136 icardagt.exe PID 1136 wrote to memory of 1840 1136 icardagt.exe PID 1136 wrote to memory of 1840 1136 icardagt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6d0edb09621edea7ddd4aba369632419_JaffaCakes118.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
C:\Windows\system32\rekeywiz.exeC:\Windows\system32\rekeywiz.exe1⤵PID:2436
-
C:\Users\Admin\AppData\Local\F4lrdL\rekeywiz.exeC:\Users\Admin\AppData\Local\F4lrdL\rekeywiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2384
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe1⤵PID:1844
-
C:\Users\Admin\AppData\Local\Cc5X\mmc.exeC:\Users\Admin\AppData\Local\Cc5X\mmc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2368
-
C:\Windows\system32\icardagt.exeC:\Windows\system32\icardagt.exe1⤵PID:2560
-
C:\Users\Admin\AppData\Local\4gP\icardagt.exeC:\Users\Admin\AppData\Local\4gP\icardagt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\4gP\VERSION.dllFilesize
991KB
MD5e6ea64ba74d95b0af809dc13ffc36cc9
SHA1698e9ae5feb0c893fc4dcef96dc7a3b655a806b9
SHA2569b7c5da1dece53cdb27b4bf3bd5ae503a346e1d259240dd25f3e5de0b8cccf72
SHA51209095e6f682aa764cf525ddc2646b0eb976cb199dfc8ec52db4ad2498bfd79427fb7947c4c15c6c18aabe99bfffae7fc5406b7dd60dc7e9d414777315f425e20
-
C:\Users\Admin\AppData\Local\Cc5X\UxTheme.dllFilesize
993KB
MD52090330a89673b387a0386de551ce409
SHA17e1c53a55ef427582cd931ece935901ab71813b0
SHA256c081d641e5053e93ac95b4a25357bcaedad1516380725234a3ceabaee2d3c297
SHA512c7bfa49e84a35a023d5792695288e585e3ae4339925ae089337d23f8a27fdbc8680800a5af69dc9d8ab66cba0b3d9cb662b9dc1650334202382d562c83b066d3
-
C:\Users\Admin\AppData\Local\F4lrdL\slc.dllFilesize
992KB
MD5d3a2dca4501fbc869f285e917764e042
SHA14d832951bf87e2a987aff13a0495e87846b31433
SHA25640a643a88b791d84635a928470dbf1e40da491f41ea830979ed06adfee43971d
SHA512457d6ca6a8fc417e3aa6a8a1b1247959ee13929f0d6bddddbcc1851fc1fd09f3a8b35801b6054e89047f32c45ea6b023a726065d9322d4fb179d8d72e9ed7c01
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piadwmdtymfdd.lnkFilesize
1KB
MD534e201f150c68db776f70afab95063ba
SHA15f1534a679d3b4669be0b372408f438c5b14ac13
SHA2569a96221337a6925a1384d46dad53bccb55bc0c6ac66ee82e62865b3d65216009
SHA51239f00457be99dfaf1defe31f076e5410e47a011554970329b780be0abdfd49d5e6c053ecc66692236277fe69ce4113893897a36238c05690f1e5bffa603afe18
-
\Users\Admin\AppData\Local\4gP\icardagt.exeFilesize
1.3MB
MD52fe97a3052e847190a9775431292a3a3
SHA143edc451ac97365600391fa4af15476a30423ff6
SHA256473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7
SHA51293ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a
-
\Users\Admin\AppData\Local\Cc5X\mmc.exeFilesize
2.0MB
MD59fea051a9585f2a303d55745b4bf63aa
SHA1f5dc12d658402900a2b01af2f018d113619b96b8
SHA256b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484
SHA512beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76
-
\Users\Admin\AppData\Local\F4lrdL\rekeywiz.exeFilesize
67KB
MD5767c75767b00ccfd41a547bb7b2adfff
SHA191890853a5476def402910e6507417d400c0d3cb
SHA256bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9
-
memory/1136-35-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-24-0x0000000002D50000-0x0000000002D57000-memory.dmpFilesize
28KB
-
memory/1136-23-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-25-0x0000000076F81000-0x0000000076F82000-memory.dmpFilesize
4KB
-
memory/1136-28-0x0000000077110000-0x0000000077112000-memory.dmpFilesize
8KB
-
memory/1136-4-0x0000000076D76000-0x0000000076D77000-memory.dmpFilesize
4KB
-
memory/1136-37-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-5-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB
-
memory/1136-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1136-63-0x0000000076D76000-0x0000000076D77000-memory.dmpFilesize
4KB
-
memory/1840-94-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2184-44-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2184-3-0x00000000001C0000-0x00000000001C7000-memory.dmpFilesize
28KB
-
memory/2184-0-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2368-71-0x0000000000370000-0x0000000000377000-memory.dmpFilesize
28KB
-
memory/2368-77-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2384-58-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2384-53-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2384-52-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB