Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
7ecdae8ff4ce7a29e1cc131d4ff098b0_JaffaCakes118.dll
Resource
win7-20240215-en
General
-
Target
7ecdae8ff4ce7a29e1cc131d4ff098b0_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
7ecdae8ff4ce7a29e1cc131d4ff098b0
-
SHA1
883913c06a7e5867ecadaa6c5943c2875066e9e1
-
SHA256
f85f26d71c527e7078122cfaee013e2881573630fdcfc8dcde64a24698824105
-
SHA512
7930e981d2eda7b6f9c2a76d1861ec65cbcf897b086f456296a9ea1d3979da2b432cace42dd9b3b24a23669df598566bb4e189c3c4956205658d6ceaf23278ee
-
SSDEEP
24576:iVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:iV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1216-5-0x0000000002160000-0x0000000002161000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
osk.exeDisplaySwitch.exedialer.exepid process 2484 osk.exe 304 DisplaySwitch.exe 2296 dialer.exe -
Loads dropped DLL 7 IoCs
Processes:
osk.exeDisplaySwitch.exedialer.exepid process 1216 2484 osk.exe 1216 304 DisplaySwitch.exe 1216 2296 dialer.exe 1216 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aknlhzir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\ddNcrhaG\\DisplaySwitch.exe" -
Processes:
DisplaySwitch.exedialer.exerundll32.exeosk.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dialer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1216 wrote to memory of 1872 1216 osk.exe PID 1216 wrote to memory of 1872 1216 osk.exe PID 1216 wrote to memory of 1872 1216 osk.exe PID 1216 wrote to memory of 2484 1216 osk.exe PID 1216 wrote to memory of 2484 1216 osk.exe PID 1216 wrote to memory of 2484 1216 osk.exe PID 1216 wrote to memory of 3016 1216 DisplaySwitch.exe PID 1216 wrote to memory of 3016 1216 DisplaySwitch.exe PID 1216 wrote to memory of 3016 1216 DisplaySwitch.exe PID 1216 wrote to memory of 304 1216 DisplaySwitch.exe PID 1216 wrote to memory of 304 1216 DisplaySwitch.exe PID 1216 wrote to memory of 304 1216 DisplaySwitch.exe PID 1216 wrote to memory of 2092 1216 dialer.exe PID 1216 wrote to memory of 2092 1216 dialer.exe PID 1216 wrote to memory of 2092 1216 dialer.exe PID 1216 wrote to memory of 2296 1216 dialer.exe PID 1216 wrote to memory of 2296 1216 dialer.exe PID 1216 wrote to memory of 2296 1216 dialer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ecdae8ff4ce7a29e1cc131d4ff098b0_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:844
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:1872
-
C:\Users\Admin\AppData\Local\dIBR\osk.exeC:\Users\Admin\AppData\Local\dIBR\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2484
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:3016
-
C:\Users\Admin\AppData\Local\55Aj7RtX\DisplaySwitch.exeC:\Users\Admin\AppData\Local\55Aj7RtX\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:304
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\YmSRh\dialer.exeC:\Users\Admin\AppData\Local\YmSRh\dialer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\55Aj7RtX\slc.dllFilesize
1.2MB
MD54246276b8e07c4bb5be474cd747293df
SHA10168b91ccee23f81b43664c2f7f141da286212db
SHA256e34dd6a1470978df7378676bf2d0f687005bfdbb604e41197001db5eecadb8c5
SHA51207a9d7ed95033a3a269afe14dbbae5aaf3fae0272c77925d06a4d4ba78f46d59085181127c9026ede801056198d6f93ad33703c47e570b913a4f0f68ab3ed8cf
-
C:\Users\Admin\AppData\Local\YmSRh\TAPI32.dllFilesize
1.2MB
MD57d5323fa636cb1f2ad669197365bfd04
SHA12ebd638297e2924fed6538af2a6c4b80e9956ada
SHA2560e42638fffd75fd00c68d6de3013bbdb27d247941f0ae9bac41d6f98f5ab2fb4
SHA512c413afbeed24d06ae3cd377ceaffecf8d5355a99779b6778814769a1bdb1755500f3e41230b3ebbd9e347c16de245feaf0a92f305650b14403b6e919743891bf
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qscjinkjzo.lnkFilesize
1KB
MD5819c3266f0471edf9a85cb5ba0e56ad4
SHA1112e76b29d7ce17bc68e93a187bb58b0a2611953
SHA25670499e29ae111a26d7fb70f1d0ea507e6e2eff2dee9e28a4874612867f5566fe
SHA512eac12ae63c2c73d87a0bab5fa4f0975f8cfd30754218048ed87e1f919e774f84eef629b27c08b68714086ea234da9cce18023603ce23382cfafd378fd911c538
-
\Users\Admin\AppData\Local\55Aj7RtX\DisplaySwitch.exeFilesize
517KB
MD5b795e6138e29a37508285fc31e92bd78
SHA1d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a
SHA25601a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659
SHA5128312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1
-
\Users\Admin\AppData\Local\YmSRh\dialer.exeFilesize
34KB
MD546523e17ee0f6837746924eda7e9bac9
SHA1d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA25623d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a
-
\Users\Admin\AppData\Local\dIBR\dwmapi.dllFilesize
1.2MB
MD58697a281f0cc756d6a596eb1b776bdf3
SHA185ffc4a0de329ad6e6b51ed766f7bdb517eb6994
SHA25636372ddafdba2edf9da0c2757f945224c3222be35b3c8b0cf58085a8975a1c94
SHA51229a86b749af5e899f8ba7d66fab691ae9055afb4a72629ad0d784695af0480dd553e1e286da5354187ecc40469e692a2e0f63ce0aa24944e83b3345599a354f4
-
\Users\Admin\AppData\Local\dIBR\osk.exeFilesize
676KB
MD5b918311a8e59fb8ccf613a110024deba
SHA1a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b
SHA256e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353
SHA512e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1
-
memory/304-78-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/304-72-0x0000000000420000-0x0000000000427000-memory.dmpFilesize
28KB
-
memory/844-3-0x0000000000130000-0x0000000000137000-memory.dmpFilesize
28KB
-
memory/844-0-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/844-45-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-36-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-14-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-11-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-10-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-25-0x0000000002140000-0x0000000002147000-memory.dmpFilesize
28KB
-
memory/1216-37-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-13-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-24-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-26-0x00000000778F1000-0x00000000778F2000-memory.dmpFilesize
4KB
-
memory/1216-27-0x0000000077A80000-0x0000000077A82000-memory.dmpFilesize
8KB
-
memory/1216-4-0x00000000777E6000-0x00000000777E7000-memory.dmpFilesize
4KB
-
memory/1216-5-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB
-
memory/1216-8-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-15-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-9-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-71-0x00000000777E6000-0x00000000777E7000-memory.dmpFilesize
4KB
-
memory/1216-12-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1216-7-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/2296-90-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/2296-96-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/2296-91-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/2484-59-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/2484-54-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/2484-53-0x0000000001AC0000-0x0000000001AC7000-memory.dmpFilesize
28KB