Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 19:29
Static task
static1
Behavioral task
behavioral1
Sample
7303cf03681a2d8ce2bb2394c9ad8b2d_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
7303cf03681a2d8ce2bb2394c9ad8b2d_JaffaCakes118.dll
-
Size
989KB
-
MD5
7303cf03681a2d8ce2bb2394c9ad8b2d
-
SHA1
3f05fbfc73e0417121d2136ec9625be7e98b657d
-
SHA256
d0b3168b35cde2b10104172a2f4ea91ccc3c2fc7adeb848d4db55c48d7a333da
-
SHA512
f9ccb27b279372bb96cb954359e7343f19be65340aa9aed4d66011f6ac718ac5ef4a42675d08344ad667778bb3a24c9392128a3149a40087d804b93e219063be
-
SSDEEP
24576:jVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:jV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1192-5-0x0000000002700000-0x0000000002701000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesProtection.exespreview.exeSystemPropertiesProtection.exepid process 2408 SystemPropertiesProtection.exe 760 spreview.exe 2320 SystemPropertiesProtection.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesProtection.exespreview.exeSystemPropertiesProtection.exepid process 1192 2408 SystemPropertiesProtection.exe 1192 760 spreview.exe 1192 2320 SystemPropertiesProtection.exe 1192 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\KyVn0brE\\spreview.exe" -
Processes:
SystemPropertiesProtection.exespreview.exeSystemPropertiesProtection.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spreview.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2492 rundll32.exe 2492 rundll32.exe 2492 rundll32.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1192 wrote to memory of 2196 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 2196 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 2196 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 2408 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 2408 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 2408 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 340 1192 spreview.exe PID 1192 wrote to memory of 340 1192 spreview.exe PID 1192 wrote to memory of 340 1192 spreview.exe PID 1192 wrote to memory of 760 1192 spreview.exe PID 1192 wrote to memory of 760 1192 spreview.exe PID 1192 wrote to memory of 760 1192 spreview.exe PID 1192 wrote to memory of 564 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 564 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 564 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 2320 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 2320 1192 SystemPropertiesProtection.exe PID 1192 wrote to memory of 2320 1192 SystemPropertiesProtection.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7303cf03681a2d8ce2bb2394c9ad8b2d_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2492
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:2196
-
C:\Users\Admin\AppData\Local\ydf6LmM\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\ydf6LmM\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2408
-
C:\Windows\system32\spreview.exeC:\Windows\system32\spreview.exe1⤵PID:340
-
C:\Users\Admin\AppData\Local\IcsCbV\spreview.exeC:\Users\Admin\AppData\Local\IcsCbV\spreview.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:760
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:564
-
C:\Users\Admin\AppData\Local\1F8Rjwf5s\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\1F8Rjwf5s\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\1F8Rjwf5s\SYSDM.CPLFilesize
989KB
MD56ab1303775a1076f8f04bef454e78b43
SHA1f61f158ddf6bbf025a2735df9db0da4ef20971bd
SHA256cf4b6a59634f340b55a67539e4590989a9087887a14da4d92c2abee10950ab4a
SHA512140546b6fe1d5d05ad7cc9321087946b7dcd2aab4ab082a3a652361a8a45f31da7f0860aedc53d4346bed9de118f46461a5b06a4aec402ade8030c1e9e5f1342
-
C:\Users\Admin\AppData\Local\ydf6LmM\SYSDM.CPLFilesize
989KB
MD5b37801529917645d2005f2a337a667f3
SHA1a2e85bdee96d463e41003d8e02cf76bf1eade7a1
SHA256d80964d0462779609c5c2304b62a35b976bd8f6a40504e4fd5ec725037305375
SHA5122fcd91de0c29cd6a5bf8755cfc68a6fe3482a12b8718e607daa6fc03f3840e6c1f2e7594965ed30f17548b1eead0e0a0b83aa96d5ef7787ac130eaa0185de2fa
-
C:\Users\Admin\AppData\Local\ydf6LmM\SystemPropertiesProtection.exeFilesize
80KB
MD505138d8f952d3fff1362f7c50158bc38
SHA1780bc59fcddf06a7494d09771b8340acffdcc720
SHA256753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd
SHA51227fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnkFilesize
1006B
MD5f2406f67f63b43d77ebf6bfe5a99b940
SHA1a1381f0b981ef3c8b322fc2a932fc6f1295f8019
SHA256b0bedda114b43e4c64cfc42ff78ced1928b4307df05c20edbb5fb9cf3a5707e7
SHA512b25d16d5b3c03c25042fa31b88a82ddd3a94ff8c0f7e65e6c8b31d203f323d563a62b6f6620de8e4e0fa20732827be3aeaa5ce4f175f7aad6c27af5a1d7ec02a
-
\Users\Admin\AppData\Local\IcsCbV\spreview.exeFilesize
294KB
MD5704cd4cac010e8e6d8de9b778ed17773
SHA181856abf70640f102b8b3defe2cf65669fe8e165
SHA2564307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee
-
\Users\Admin\AppData\Local\IcsCbV\sqmapi.dllFilesize
991KB
MD5eab2b501248b48b27777254fd2397986
SHA1a5f12f5a93f2921d8b84e2aa0bdec28f92345be8
SHA256424f50c7e5ac2f373758c45418e9895076eb9b0c2e397545840b796456a38388
SHA512304a285ce81563adbf9832d2215f83ea8f5d34aa6cf761eab522278382d66ee79a39b26aa1ccaa47fa59dbb024d2ce499c7c6a70e9e34d726997a548e4cce543
-
memory/760-77-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/760-71-0x0000000000170000-0x0000000000177000-memory.dmpFilesize
28KB
-
memory/1192-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-70-0x0000000077486000-0x0000000077487000-memory.dmpFilesize
4KB
-
memory/1192-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-25-0x0000000077691000-0x0000000077692000-memory.dmpFilesize
4KB
-
memory/1192-26-0x0000000077820000-0x0000000077822000-memory.dmpFilesize
8KB
-
memory/1192-36-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-35-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-4-0x0000000077486000-0x0000000077487000-memory.dmpFilesize
4KB
-
memory/1192-5-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/1192-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1192-24-0x0000000002210000-0x0000000002217000-memory.dmpFilesize
28KB
-
memory/1192-23-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2320-89-0x0000000000270000-0x0000000000277000-memory.dmpFilesize
28KB
-
memory/2320-95-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2408-58-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2408-55-0x0000000000080000-0x0000000000087000-memory.dmpFilesize
28KB
-
memory/2408-52-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2492-0-0x0000000000190000-0x0000000000197000-memory.dmpFilesize
28KB
-
memory/2492-44-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2492-1-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB