Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 12:12
Static task
static1
Behavioral task
behavioral1
Sample
791ccdb6ee9aec99c283d3aa5abaf42c_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
791ccdb6ee9aec99c283d3aa5abaf42c_JaffaCakes118.dll
-
Size
990KB
-
MD5
791ccdb6ee9aec99c283d3aa5abaf42c
-
SHA1
aa96e92baa5a5fc4cfb9963bebd1c32ed0b1969b
-
SHA256
61d82c261caf4346ce16385a69192ff356f9bb1455d34802d362f6efdfc199e1
-
SHA512
55b4a90eeec621f460b46f91ce478d22f7d9808f2c8e7f18cc89a9af77ee3173a176f3b6e6538a7618b52e74a0879615db9fd54209ff8b584e0884256d8f64db
-
SSDEEP
24576:SVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:SV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1196-5-0x0000000002E20000-0x0000000002E21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SoundRecorder.exeStikyNot.exeBitLockerWizardElev.exepid process 2724 SoundRecorder.exe 2680 StikyNot.exe 1676 BitLockerWizardElev.exe -
Loads dropped DLL 7 IoCs
Processes:
SoundRecorder.exeStikyNot.exeBitLockerWizardElev.exepid process 1196 2724 SoundRecorder.exe 1196 2680 StikyNot.exe 1196 1676 BitLockerWizardElev.exe 1196 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1298544033-3225604241-2703760938-1000\\3BYyyL\\StikyNot.exe" -
Processes:
rundll32.exeSoundRecorder.exeStikyNot.exeBitLockerWizardElev.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SoundRecorder.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StikyNot.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2756 rundll32.exe 2756 rundll32.exe 2756 rundll32.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1196 wrote to memory of 2608 1196 SoundRecorder.exe PID 1196 wrote to memory of 2608 1196 SoundRecorder.exe PID 1196 wrote to memory of 2608 1196 SoundRecorder.exe PID 1196 wrote to memory of 2724 1196 SoundRecorder.exe PID 1196 wrote to memory of 2724 1196 SoundRecorder.exe PID 1196 wrote to memory of 2724 1196 SoundRecorder.exe PID 1196 wrote to memory of 1856 1196 StikyNot.exe PID 1196 wrote to memory of 1856 1196 StikyNot.exe PID 1196 wrote to memory of 1856 1196 StikyNot.exe PID 1196 wrote to memory of 2680 1196 StikyNot.exe PID 1196 wrote to memory of 2680 1196 StikyNot.exe PID 1196 wrote to memory of 2680 1196 StikyNot.exe PID 1196 wrote to memory of 1976 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 1976 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 1976 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 1676 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 1676 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 1676 1196 BitLockerWizardElev.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\791ccdb6ee9aec99c283d3aa5abaf42c_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2756
-
C:\Windows\system32\SoundRecorder.exeC:\Windows\system32\SoundRecorder.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\w8f\SoundRecorder.exeC:\Users\Admin\AppData\Local\w8f\SoundRecorder.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2724
-
C:\Windows\system32\StikyNot.exeC:\Windows\system32\StikyNot.exe1⤵PID:1856
-
C:\Users\Admin\AppData\Local\pphG\StikyNot.exeC:\Users\Admin\AppData\Local\pphG\StikyNot.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2680
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:1976
-
C:\Users\Admin\AppData\Local\DE3\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\DE3\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\DE3\FVEWIZ.dllFilesize
992KB
MD5d3a1a091620e8a708cac80b89e3f868a
SHA106da90c2236876f92c2accecf41878bfdf923628
SHA256474b5bbdc67a0ab99a9d04cb417911daa6f164889ccf34532845f71dc6ca34a5
SHA512c1af35a2710274b178f1ed23c20ac88d6347840555ca74f9582167816f2e682147eb68e14a30c0f491b07430d0855df5b1671b944e3d2b5abedd399b739c4755
-
C:\Users\Admin\AppData\Local\pphG\slc.dllFilesize
991KB
MD56b79fed2f21e9406a55dbec0b9861785
SHA132b6814234f18ca71f16cb3aa34522bfcbc44f75
SHA2565e76802ec6acad0f576e2fe0409a6e1f5d226ea9128d93b4aa721a9627025a21
SHA5124d01850e51d777de7795ed693ef0373198ab809d97a86be10c802bdec4bfcbfb16c3fbc77a3439407ebac0147fa2a72aa6814439bd4fb5094325feaa4ce7bfe7
-
C:\Users\Admin\AppData\Local\w8f\WINMM.dllFilesize
995KB
MD5d88056340eb1a98eec3e3fcc0a20959b
SHA17de8c303b5a33bacd4626d1cfb69f800ac86ac6a
SHA25687871aa9f473c0d1c7bd7976785df454d5718a89de403263d1be423ab0786b70
SHA512be3c16cfd9f21061f978286cbdedd3b7b7be7d9bf91be403ad84f8ff4279d2b5b5f0f125c61b8fe7b10fb6480b27f48b8e6460b43fe49a12a977cff99bc076fe
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnkFilesize
1KB
MD5f226388646720cdd05aada005d1577e1
SHA1c16b30565effa3f6c95ec6e3e9b5a90b0cf36575
SHA256d12b5f87e4fe9335b4b03d04cd7fe873595cf2b32c6d5a659c210b0fb2f77573
SHA5126a8ccfd5ef0f9b700887f4f000c7ce42b7a973120801c7585bb19e050eebe8d0877de4a0960112e2e0c7c09b00552c5dc163d7e64dfa701290cf9ded641903a5
-
\Users\Admin\AppData\Local\DE3\BitLockerWizardElev.exeFilesize
98KB
MD573f13d791e36d3486743244f16875239
SHA1ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA2562483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af
-
\Users\Admin\AppData\Local\pphG\StikyNot.exeFilesize
417KB
MD5b22cb67919ebad88b0e8bb9cda446010
SHA1423a794d26d96d9f812d76d75fa89bffdc07d468
SHA2562f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5
-
\Users\Admin\AppData\Local\w8f\SoundRecorder.exeFilesize
139KB
MD547f0f526ad4982806c54b845b3289de1
SHA18420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA5124c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d
-
memory/1196-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1196-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1196-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1196-26-0x0000000077800000-0x0000000077802000-memory.dmpFilesize
8KB
-
memory/1196-25-0x0000000077671000-0x0000000077672000-memory.dmpFilesize
4KB
-
memory/1196-24-0x0000000002E00000-0x0000000002E07000-memory.dmpFilesize
28KB
-
memory/1196-23-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1196-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1196-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1196-36-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1196-35-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1196-4-0x0000000077466000-0x0000000077467000-memory.dmpFilesize
4KB
-
memory/1196-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1196-5-0x0000000002E20000-0x0000000002E21000-memory.dmpFilesize
4KB
-
memory/1196-72-0x0000000077466000-0x0000000077467000-memory.dmpFilesize
4KB
-
memory/1196-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1196-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1676-89-0x0000000001AC0000-0x0000000001AC7000-memory.dmpFilesize
28KB
-
memory/1676-95-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2680-70-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2680-74-0x00000000002A0000-0x00000000002A7000-memory.dmpFilesize
28KB
-
memory/2680-77-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2724-58-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/2724-55-0x00000000001A0000-0x00000000001A7000-memory.dmpFilesize
28KB
-
memory/2724-52-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/2756-3-0x0000000000130000-0x0000000000137000-memory.dmpFilesize
28KB
-
memory/2756-44-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2756-0-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB