Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
6d0edb09621edea7ddd4aba369632419_JaffaCakes118.dll
Resource
win7-20240220-en
General
-
Target
6d0edb09621edea7ddd4aba369632419_JaffaCakes118.dll
-
Size
991KB
-
MD5
6d0edb09621edea7ddd4aba369632419
-
SHA1
90b7eb49388e711347ea0b7541141e6f1c35b4b3
-
SHA256
2ea3c486674229c106c14ef49ebd4b2757963d866c102e90403c3e20fdb69365
-
SHA512
e1be1ee0a45ec79c86751f6ba8f608ff98ca0475758bd28b74e6fabf9ce76f5b1f9d26012419e6547557dc93b6e752403a7415a1f59a6dc188391175bbe4dfe6
-
SSDEEP
24576:yVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:yV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3420-4-0x0000000002CA0000-0x0000000002CA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
quickassist.exeEhStorAuthn.exeProximityUxHost.exepid process 3492 quickassist.exe 3296 EhStorAuthn.exe 1368 ProximityUxHost.exe -
Loads dropped DLL 3 IoCs
Processes:
quickassist.exeEhStorAuthn.exeProximityUxHost.exepid process 3492 quickassist.exe 3296 EhStorAuthn.exe 1368 ProximityUxHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bhelxfhv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\TQ\\EhStorAuthn.exe" -
Processes:
quickassist.exeEhStorAuthn.exeProximityUxHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quickassist.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ProximityUxHost.exe -
Modifies registry class 1 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 1992 regsvr32.exe 1992 regsvr32.exe 1992 regsvr32.exe 1992 regsvr32.exe 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3420 3420 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3420 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3420 wrote to memory of 4812 3420 quickassist.exe PID 3420 wrote to memory of 4812 3420 quickassist.exe PID 3420 wrote to memory of 3492 3420 quickassist.exe PID 3420 wrote to memory of 3492 3420 quickassist.exe PID 3420 wrote to memory of 4844 3420 EhStorAuthn.exe PID 3420 wrote to memory of 4844 3420 EhStorAuthn.exe PID 3420 wrote to memory of 3296 3420 EhStorAuthn.exe PID 3420 wrote to memory of 3296 3420 EhStorAuthn.exe PID 3420 wrote to memory of 4308 3420 ProximityUxHost.exe PID 3420 wrote to memory of 4308 3420 ProximityUxHost.exe PID 3420 wrote to memory of 1368 3420 ProximityUxHost.exe PID 3420 wrote to memory of 1368 3420 ProximityUxHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6d0edb09621edea7ddd4aba369632419_JaffaCakes118.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992
-
C:\Windows\system32\quickassist.exeC:\Windows\system32\quickassist.exe1⤵PID:4812
-
C:\Users\Admin\AppData\Local\kN7\quickassist.exeC:\Users\Admin\AppData\Local\kN7\quickassist.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3492
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:4844
-
C:\Users\Admin\AppData\Local\yf8L\EhStorAuthn.exeC:\Users\Admin\AppData\Local\yf8L\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3296
-
C:\Windows\system32\ProximityUxHost.exeC:\Windows\system32\ProximityUxHost.exe1⤵PID:4308
-
C:\Users\Admin\AppData\Local\9smg\ProximityUxHost.exeC:\Users\Admin\AppData\Local\9smg\ProximityUxHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\9smg\ProximityUxHost.exeFilesize
263KB
MD59ea326415b83d77295c70a35feb75577
SHA1f8fc6a4f7f97b242f35066f61d305e278155b8a8
SHA256192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f
SHA5122b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692
-
C:\Users\Admin\AppData\Local\9smg\WINMM.dllFilesize
996KB
MD5ea6e45fa0159bd10d6f6761b0b4a6363
SHA186bc737630f495c9389877f02ae44b4fd1e79cd3
SHA256b570ea377f6eb2138b53811aaef335cdba7df4a5772a4f648a3a151de2164af8
SHA512838946d39a258c879fe278aafcbf913a9a44a3266407620d0f22c57f997c5e0454df4f00c8a4dc2e12004fd80397b50cdf9f99552fd05c7ba8c94f4921989f32
-
C:\Users\Admin\AppData\Local\kN7\UxTheme.dllFilesize
994KB
MD5ca696435bc7434e0393cc96656ca24ec
SHA1acebca4ce3133e562252727c6e7fd5f5bea8bd06
SHA256721dd874861fa7f7d6df3d55a4d283c012180a1739adec3e255925c56d779308
SHA5120ef36d51e9f3593ff3728f05d2cc4ea6f9a51a9304eaf20442c389e2e02a876a906bae9de7a6fada385e8f19a58753c578dab3c4c91525a9a1c45f125fc493ec
-
C:\Users\Admin\AppData\Local\kN7\quickassist.exeFilesize
665KB
MD5d1216f9b9a64fd943539cc2b0ddfa439
SHA16fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567
-
C:\Users\Admin\AppData\Local\yf8L\EhStorAuthn.exeFilesize
128KB
MD5d45618e58303edb4268a6cca5ec99ecc
SHA11f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA5125d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd
-
C:\Users\Admin\AppData\Local\yf8L\UxTheme.dllFilesize
994KB
MD57db221526ddd7b39d716193a7b62a9a4
SHA1e5ff7161fb846203bfcb9e4e938d565783a62f24
SHA256668489ad0ca293d8941a00ac65cd3d8551810c080c70596c2f6c0eb9f9dd87ff
SHA512ed2842209fc6168f629472df41308bec2f1196314c1eb141cf3afb9d4e062064c91d86243a26939aa67be3fff03b731371949039318baa15a0f767a68912f3b7
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Oabtankaq.lnkFilesize
1KB
MD59a73ac0f6a2d177115860fa4cb266ed0
SHA1a852dab79c8aa7a70a4324e3c99f29de910e39af
SHA256e34b3bb554a8445111ac3df5a7a278cd4e7ac653a514d33955f6b7004b269deb
SHA51258ce8513f5ecf4c8d185fae363a80c7f146b18db087cce0395d6276452fe23577366ccd4783f0e9d6fe7d8e89528f02814dd58e386bf22dd10219098a4ef85a2
-
memory/1368-78-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/1368-83-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/1992-0-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1992-3-0x0000000000D80000-0x0000000000D87000-memory.dmpFilesize
28KB
-
memory/1992-37-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3296-67-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3296-64-0x000002179D660000-0x000002179D667000-memory.dmpFilesize
28KB
-
memory/3420-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3420-28-0x00007FFB38A70000-0x00007FFB38A80000-memory.dmpFilesize
64KB
-
memory/3420-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3420-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3420-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3420-6-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3420-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3420-34-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3420-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3420-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3420-22-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3420-26-0x00007FFB37DFA000-0x00007FFB37DFB000-memory.dmpFilesize
4KB
-
memory/3420-27-0x0000000002AE0000-0x0000000002AE7000-memory.dmpFilesize
28KB
-
memory/3420-4-0x0000000002CA0000-0x0000000002CA1000-memory.dmpFilesize
4KB
-
memory/3492-50-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3492-47-0x00000223E2B30000-0x00000223E2B37000-memory.dmpFilesize
28KB
-
memory/3492-45-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB