Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 11:28
Static task
static1
Behavioral task
behavioral1
Sample
7ccd309cb3d6064a84f92ed732b8b87e_JaffaCakes118.dll
Resource
win7-20240419-en
General
-
Target
7ccd309cb3d6064a84f92ed732b8b87e_JaffaCakes118.dll
-
Size
988KB
-
MD5
7ccd309cb3d6064a84f92ed732b8b87e
-
SHA1
c65b2b78d37f299953d4116e2b87814c3fc50af4
-
SHA256
7dad2b337bedd59fa33e751f31a5ae20f4b23b18bf63f47459f303b4ea462236
-
SHA512
e34242852d187ebd11896bce63e61b5821d2222c3243f235692c36bbe452e08a89255e2da53a04d0970b6acf2cf031e81dbb7cd8afc80ecfe847a9451cbb19c1
-
SSDEEP
24576:mVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:mV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3516-4-0x00000000087A0000-0x00000000087A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
consent.exeunregmp2.exeSysResetErr.exeCloudNotifications.exepid process 2028 consent.exe 908 unregmp2.exe 4120 SysResetErr.exe 2720 CloudNotifications.exe -
Loads dropped DLL 3 IoCs
Processes:
unregmp2.exeSysResetErr.exeCloudNotifications.exepid process 908 unregmp2.exe 4120 SysResetErr.exe 2720 CloudNotifications.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bhelxfhv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\dxcW\\SysResetErr.exe" -
Processes:
rundll32.exeunregmp2.exeSysResetErr.exeCloudNotifications.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SysResetErr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CloudNotifications.exe -
Modifies registry class 1 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3936 rundll32.exe 3936 rundll32.exe 3936 rundll32.exe 3936 rundll32.exe 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3516 3516 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3516 -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
description pid process target process PID 3516 wrote to memory of 4572 3516 consent.exe PID 3516 wrote to memory of 4572 3516 consent.exe PID 3516 wrote to memory of 2028 3516 consent.exe PID 3516 wrote to memory of 2028 3516 consent.exe PID 3516 wrote to memory of 4788 3516 unregmp2.exe PID 3516 wrote to memory of 4788 3516 unregmp2.exe PID 3516 wrote to memory of 908 3516 unregmp2.exe PID 3516 wrote to memory of 908 3516 unregmp2.exe PID 3516 wrote to memory of 4620 3516 SysResetErr.exe PID 3516 wrote to memory of 4620 3516 SysResetErr.exe PID 3516 wrote to memory of 4120 3516 SysResetErr.exe PID 3516 wrote to memory of 4120 3516 SysResetErr.exe PID 3516 wrote to memory of 632 3516 CloudNotifications.exe PID 3516 wrote to memory of 632 3516 CloudNotifications.exe PID 3516 wrote to memory of 2720 3516 CloudNotifications.exe PID 3516 wrote to memory of 2720 3516 CloudNotifications.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ccd309cb3d6064a84f92ed732b8b87e_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3936
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵PID:4572
-
C:\Users\Admin\AppData\Local\kShlJD\consent.exeC:\Users\Admin\AppData\Local\kShlJD\consent.exe1⤵
- Executes dropped EXE
PID:2028
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:4788
-
C:\Users\Admin\AppData\Local\P68OC\unregmp2.exeC:\Users\Admin\AppData\Local\P68OC\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:908
-
C:\Windows\system32\SysResetErr.exeC:\Windows\system32\SysResetErr.exe1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Mu1\SysResetErr.exeC:\Users\Admin\AppData\Local\Mu1\SysResetErr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4120
-
C:\Windows\system32\CloudNotifications.exeC:\Windows\system32\CloudNotifications.exe1⤵PID:632
-
C:\Users\Admin\AppData\Local\Qcvj\CloudNotifications.exeC:\Users\Admin\AppData\Local\Qcvj\CloudNotifications.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mu1\DUI70.dllFilesize
1.2MB
MD5cf04c09e5819bc5f646713919bc7a277
SHA1d50ff9500dc1f96752951b29cfdd40c9a50244b5
SHA256b683fd658466eddee99d98badd6be22453c4bae2b528a9ad9a53a76add36e7a7
SHA51267c08da6a6bd872970f5765c4df6965ac226eb27651135111d820afc38251d8c317ae495673e9aef440ee1acbfef3ccc544b4f028f4151bc66ebb7c6ddfb2093
-
C:\Users\Admin\AppData\Local\Mu1\SysResetErr.exeFilesize
41KB
MD5090c6f458d61b7ddbdcfa54e761b8b57
SHA1c5a93e9d6eca4c3842156cc0262933b334113864
SHA256a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542
-
C:\Users\Admin\AppData\Local\P68OC\VERSION.dllFilesize
989KB
MD5153aff5ca7c7bdb18178ce9e97d3ecfa
SHA12d4f2db5683555531e5f87bbd4bc7be44b4df4d3
SHA2564164e12439c4b8fa34ccca81cd23abc43508acbff27a8844f494531cb952020e
SHA5124b1a59b59cf0d146d05f5bef649e2f64e3900cf0b9943ff050f42b05b07208dff7d281b2d13e9dafc0ee59bc9787c536b2734d1253452a6a3e96a37e41099701
-
C:\Users\Admin\AppData\Local\P68OC\unregmp2.exeFilesize
259KB
MD5a6fc8ce566dec7c5873cb9d02d7b874e
SHA1a30040967f75df85a1e3927bdce159b102011a61
SHA25621f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d
SHA512f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc
-
C:\Users\Admin\AppData\Local\Qcvj\CloudNotifications.exeFilesize
59KB
MD5b50dca49bc77046b6f480db6444c3d06
SHA1cc9b38240b0335b1763badcceac37aa9ce547f9e
SHA25696e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775
SHA5122a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3
-
C:\Users\Admin\AppData\Local\Qcvj\UxTheme.dllFilesize
991KB
MD55b2dba77128632d2085cd0bfd0c58d2f
SHA18fd11277e2dba9b3c5dc400f6da8538207acec99
SHA256b29cd5ddde0e1cdfae46689a56c95e57c86c5f4605862edd2007d66a0ebccdb2
SHA512be60dc417bb87500d0543e9aa62a4b0b7b68918ef225ea2fabcb37bd7bfe017b9935d8fcd5811e8372bbfc4c62817c7126bdceeaa444c9d5ac6f9ae1d5ea826e
-
C:\Users\Admin\AppData\Local\kShlJD\consent.exeFilesize
162KB
MD56646631ce4ad7128762352da81f3b030
SHA11095bd4b63360fc2968d75622aa745e5523428ab
SHA25656b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA5121c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Oabtankaq.lnkFilesize
834B
MD5e3fd9a7dd98324f8815caa8f2cf3327a
SHA13a993b0742cbe4848bd8b65a26695396e3e26fd4
SHA25641ae870670dd7a1ef67c7ff56acc671c3c35db340162545c990ffdc90036bf5f
SHA5129a6ab704e499dce8c64ea5a44f1c3297c77e5e3c91c6e3bf4b9bf5e84f6ee0094be458f489312f666c7e7546a8e7c60b8bc29ca3ca785e0a8bb00321aa042b02
-
memory/908-58-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/908-55-0x000001C1E7220000-0x000001C1E7227000-memory.dmpFilesize
28KB
-
memory/908-52-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2720-91-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3516-27-0x0000000008780000-0x0000000008787000-memory.dmpFilesize
28KB
-
memory/3516-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-4-0x00000000087A0000-0x00000000087A1000-memory.dmpFilesize
4KB
-
memory/3516-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-26-0x00007FFDF0EBA000-0x00007FFDF0EBB000-memory.dmpFilesize
4KB
-
memory/3516-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-34-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-28-0x00007FFDF2DF0000-0x00007FFDF2E00000-memory.dmpFilesize
64KB
-
memory/3516-22-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-6-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3936-0-0x0000026F3C4E0000-0x0000026F3C4E7000-memory.dmpFilesize
28KB
-
memory/3936-37-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3936-2-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/4120-75-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/4120-69-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/4120-72-0x000002EF55110000-0x000002EF55117000-memory.dmpFilesize
28KB