Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 08:25
Static task
static1
Behavioral task
behavioral1
Sample
80184eee522c0774f344f21d1b042fde_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
80184eee522c0774f344f21d1b042fde_JaffaCakes118.dll
-
Size
988KB
-
MD5
80184eee522c0774f344f21d1b042fde
-
SHA1
729c582affc7f092ecde4843fefea5c9b8ef0eda
-
SHA256
b0b20b7a4671e450e009be0837c965d13511fb3a19df8f0d9d2fa47be720b1b6
-
SHA512
5d47bfb61235e2f0950903b8ab776e106a2a077ed582749edfff9705b1da73104dba72a5f1a668689b2bc15f1c2b2e72de441ed6a7afda43e8bd5d6230ddba55
-
SSDEEP
24576:+VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:+V8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1180-5-0x0000000002E90000-0x0000000002E91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
recdisc.exeMpSigStub.exeBitLockerWizardElev.exepid process 2728 recdisc.exe 860 MpSigStub.exe 1568 BitLockerWizardElev.exe -
Loads dropped DLL 7 IoCs
Processes:
recdisc.exeMpSigStub.exeBitLockerWizardElev.exepid process 1180 2728 recdisc.exe 1180 860 MpSigStub.exe 1180 1568 BitLockerWizardElev.exe 1180 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tonqjizj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\ASVHCOTpk\\MpSigStub.exe" -
Processes:
rundll32.exerecdisc.exeMpSigStub.exeBitLockerWizardElev.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA recdisc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MpSigStub.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2988 rundll32.exe 2988 rundll32.exe 2988 rundll32.exe 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1180 wrote to memory of 2628 1180 recdisc.exe PID 1180 wrote to memory of 2628 1180 recdisc.exe PID 1180 wrote to memory of 2628 1180 recdisc.exe PID 1180 wrote to memory of 2728 1180 recdisc.exe PID 1180 wrote to memory of 2728 1180 recdisc.exe PID 1180 wrote to memory of 2728 1180 recdisc.exe PID 1180 wrote to memory of 1596 1180 MpSigStub.exe PID 1180 wrote to memory of 1596 1180 MpSigStub.exe PID 1180 wrote to memory of 1596 1180 MpSigStub.exe PID 1180 wrote to memory of 860 1180 MpSigStub.exe PID 1180 wrote to memory of 860 1180 MpSigStub.exe PID 1180 wrote to memory of 860 1180 MpSigStub.exe PID 1180 wrote to memory of 2772 1180 BitLockerWizardElev.exe PID 1180 wrote to memory of 2772 1180 BitLockerWizardElev.exe PID 1180 wrote to memory of 2772 1180 BitLockerWizardElev.exe PID 1180 wrote to memory of 1568 1180 BitLockerWizardElev.exe PID 1180 wrote to memory of 1568 1180 BitLockerWizardElev.exe PID 1180 wrote to memory of 1568 1180 BitLockerWizardElev.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\80184eee522c0774f344f21d1b042fde_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2988
-
C:\Windows\system32\recdisc.exeC:\Windows\system32\recdisc.exe1⤵PID:2628
-
C:\Users\Admin\AppData\Local\HGAW3\recdisc.exeC:\Users\Admin\AppData\Local\HGAW3\recdisc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2728
-
C:\Windows\system32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe1⤵PID:1596
-
C:\Users\Admin\AppData\Local\gtw\MpSigStub.exeC:\Users\Admin\AppData\Local\gtw\MpSigStub.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:860
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:2772
-
C:\Users\Admin\AppData\Local\kmzISWfq7\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\kmzISWfq7\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\HGAW3\SPP.dllFilesize
989KB
MD534f6268b3390fef129d67e1822853387
SHA10cf857248436cf7bd81b3ea93b85b18c7083e040
SHA256d42f6e147abc6d796230ccc8faaf006d3a1c15777f8465a65fbf478b56389f61
SHA5122eadd42c09eb0142da3d5691277e6328d6d38bb040eb8644fa98839cf2b0d602f9c0d2c28b65dac0481607bc149f6aadba71ea2a4d234ba7c4239427b2fb4faf
-
C:\Users\Admin\AppData\Local\gtw\VERSION.dllFilesize
989KB
MD5dcd5db92dbff5e2685077c333ea85539
SHA14730c827b9efe186f6dd8b3e981356f2a372cccf
SHA25694208399048ac01ea205578dc4fd5e10092603669651b41e18c050dc45ff8b6f
SHA51232c829f9419fdc3aee98a35c89a7b0066a9eda7cd6c490ea3c5e36c877c61d3fd5536d7cb1612ded0a1c7147d87ab4c7f61ee7660e705f5ea0876927ee5eb049
-
C:\Users\Admin\AppData\Local\kmzISWfq7\FVEWIZ.dllFilesize
990KB
MD54b9345f2f3443107773dd45baef691b8
SHA1a6fc2d6ee67ca9f65113c4d6061b82d9db646d2c
SHA2564ae3b93afbacecb534ec252e4b5bd3908f0da410bfe0f6459bc4c3eaab1c9971
SHA512f7b4797d7fdc34006c9d5e05f2fa5e18def2ae64a005513643de3cdf70d29120b7cb44aeab039edf57669b0d646ba1a1204e3da22bf2dc22c833dde3759ddec5
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnkFilesize
1KB
MD59246be8c323830a1e3349aa727472b31
SHA183e24a32600fbe60e5b42a6639bac43f61db753b
SHA2562a855e1dbc631095c96f48fd49d52f2ed16478206bf22778c14ac7c2c3be4a34
SHA51201c119b98d52d3cba4f25713c1f51e3d4a8b3319d778fb28bde71b7c26fdb921235d54a376da7f3fddb74d15dfb732585d392fbe0ec5a32fc39cbf090cfcfdf8
-
\Users\Admin\AppData\Local\HGAW3\recdisc.exeFilesize
232KB
MD5f3b306179f1840c0813dc6771b018358
SHA1dec7ce3c13f7a684cb52ae6007c99cf03afef005
SHA256dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0
SHA5129f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4
-
\Users\Admin\AppData\Local\gtw\MpSigStub.exeFilesize
264KB
MD52e6bd16aa62e5e95c7b256b10d637f8f
SHA1350be084477b1fe581af83ca79eb58d4defe260f
SHA256d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA5121f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542
-
\Users\Admin\AppData\Local\kmzISWfq7\BitLockerWizardElev.exeFilesize
98KB
MD573f13d791e36d3486743244f16875239
SHA1ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA2562483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af
-
memory/860-76-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/860-73-0x00000000000F0000-0x00000000000F7000-memory.dmpFilesize
28KB
-
memory/1180-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1180-17-0x0000000002E70000-0x0000000002E77000-memory.dmpFilesize
28KB
-
memory/1180-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1180-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1180-24-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1180-25-0x0000000077981000-0x0000000077982000-memory.dmpFilesize
4KB
-
memory/1180-26-0x0000000077B10000-0x0000000077B12000-memory.dmpFilesize
8KB
-
memory/1180-35-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1180-36-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1180-4-0x0000000077776000-0x0000000077777000-memory.dmpFilesize
4KB
-
memory/1180-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1180-5-0x0000000002E90000-0x0000000002E91000-memory.dmpFilesize
4KB
-
memory/1180-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1180-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1180-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1180-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1568-91-0x0000000000290000-0x0000000000297000-memory.dmpFilesize
28KB
-
memory/1568-94-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2728-58-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2728-55-0x00000000001B0000-0x00000000001B7000-memory.dmpFilesize
28KB
-
memory/2728-52-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2988-0-0x00000000003A0000-0x00000000003A7000-memory.dmpFilesize
28KB
-
memory/2988-44-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2988-1-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB