Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 13:58
Static task
static1
Behavioral task
behavioral1
Sample
873e68ab6613d1167288b61d0c678ffb_JaffaCakes118.dll
Resource
win7-20240419-en
General
-
Target
873e68ab6613d1167288b61d0c678ffb_JaffaCakes118.dll
-
Size
988KB
-
MD5
873e68ab6613d1167288b61d0c678ffb
-
SHA1
d5ef0c7035ca42a6fa34f8bb2b17b713ba0ed767
-
SHA256
3f2488ce70762013f6f9676dd8befcbd5bbe5047ee4347721c2b3322e717c443
-
SHA512
f1ca4f58ee50b5e808bc88b3a22aacfa2d8c31113f7cf39091a50e09abc42efe69b83e5f4368a9f66c876e0b776380f1e9b1373d0bff05ba7c7eaad71121c798
-
SSDEEP
24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3508-4-0x0000000007DC0000-0x0000000007DC1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
upfc.exeDevicePairingWizard.exeiexpress.exepid process 4160 upfc.exe 532 DevicePairingWizard.exe 2784 iexpress.exe -
Loads dropped DLL 3 IoCs
Processes:
upfc.exeDevicePairingWizard.exeiexpress.exepid process 4160 upfc.exe 532 DevicePairingWizard.exe 2784 iexpress.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\1jKhAPZj\\DevicePairingWizard.exe" -
Processes:
rundll32.exeupfc.exeDevicePairingWizard.exeiexpress.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DevicePairingWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe -
Modifies registry class 1 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 3508 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3508 Token: SeCreatePagefilePrivilege 3508 Token: SeShutdownPrivilege 3508 Token: SeCreatePagefilePrivilege 3508 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3508 3508 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3508 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3508 wrote to memory of 1168 3508 upfc.exe PID 3508 wrote to memory of 1168 3508 upfc.exe PID 3508 wrote to memory of 4160 3508 upfc.exe PID 3508 wrote to memory of 4160 3508 upfc.exe PID 3508 wrote to memory of 3448 3508 DevicePairingWizard.exe PID 3508 wrote to memory of 3448 3508 DevicePairingWizard.exe PID 3508 wrote to memory of 532 3508 DevicePairingWizard.exe PID 3508 wrote to memory of 532 3508 DevicePairingWizard.exe PID 3508 wrote to memory of 468 3508 iexpress.exe PID 3508 wrote to memory of 468 3508 iexpress.exe PID 3508 wrote to memory of 2784 3508 iexpress.exe PID 3508 wrote to memory of 2784 3508 iexpress.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\873e68ab6613d1167288b61d0c678ffb_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2264
-
C:\Windows\system32\upfc.exeC:\Windows\system32\upfc.exe1⤵PID:1168
-
C:\Users\Admin\AppData\Local\lm02\upfc.exeC:\Users\Admin\AppData\Local\lm02\upfc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4160
-
C:\Windows\system32\DevicePairingWizard.exeC:\Windows\system32\DevicePairingWizard.exe1⤵PID:3448
-
C:\Users\Admin\AppData\Local\UnNQd3xC7\DevicePairingWizard.exeC:\Users\Admin\AppData\Local\UnNQd3xC7\DevicePairingWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:532
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵PID:468
-
C:\Users\Admin\AppData\Local\RX9Qm\iexpress.exeC:\Users\Admin\AppData\Local\RX9Qm\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\RX9Qm\VERSION.dllFilesize
989KB
MD58a2ebdea416868b07b7a6d8c10f2a3bf
SHA1a4f9f2ccde9c3cf4c078a39847419919ab4fb002
SHA25611fe0b20658e1a4336ad490661d1c6419580a087926b68d9e76fb1b34a9808e3
SHA5120778d8e530da48e64993cc6f564086d3560269340dd5e17517319e1f80844ee4093469e8e3bc707139cf352c83640c2a4013ebc8c5d432fcc9774681259d341b
-
C:\Users\Admin\AppData\Local\RX9Qm\iexpress.exeFilesize
166KB
MD517b93a43e25d821d01af40ba6babcc8c
SHA197c978d78056d995f751dfef1388d7cce4cc404a
SHA256d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3
SHA5126b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391
-
C:\Users\Admin\AppData\Local\UnNQd3xC7\DevicePairingWizard.exeFilesize
93KB
MD5d0e40a5a0c7dad2d6e5040d7fbc37533
SHA1b0eabbd37a97a1abcd90bd56394f5c45585699eb
SHA2562adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b
SHA5121191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f
-
C:\Users\Admin\AppData\Local\UnNQd3xC7\MFC42u.dllFilesize
1015KB
MD52d120d562d5cb85084ca8cecb3bc0061
SHA193bf1ce8a13b102d90cd542cd7ac05cc13e358ee
SHA25605cf2e9b40bb02ead0e8fa9a60132dd60cefba5cbfa82d33311136af92bcf384
SHA512888da2f96c24aa8220c481dfb6d888ec8b4a3472211ed1c1e9d19b1775f87c26bc12c72f987dc28bfcdc72999d4fa85d846e403c33eed98fafaad4af79aacf0c
-
C:\Users\Admin\AppData\Local\lm02\XmlLite.dllFilesize
988KB
MD57b68e32ab0fbfb2107b7f78b6a2d64e2
SHA1c1b7215c63f49b5a8169f07758d468c65910f83b
SHA2568464b004a138cd290792894c81650f4b642babc25a3d83cc131a63c295f5580e
SHA512a2c779672942956e4534fe194a081e06d4b938c848e14cfb268cf3ade839dcbe0a055b969c98d080a79d09816a13de3e634fe335b8e51cbfc32a158f5b6eecd9
-
C:\Users\Admin\AppData\Local\lm02\upfc.exeFilesize
118KB
MD5299ea296575ccb9d2c1a779062535d5c
SHA12497169c13b0ba46a6be8a1fe493b250094079b7
SHA256ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2
SHA51202fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnkFilesize
1KB
MD549a96bb72e525c1dc0123aea52e801de
SHA14a08bc8bd7ceeb6e9b44553e770c1aa3699473d9
SHA256680cc2b1a7c8eae39f0ff9148387382dc911467e0b9d6e4b6a3798080dd00d37
SHA512d4dc121769ab73c56211e53350f375b776378f9c3d1f94b176c69d2d88c472f2bdfe75925fe5c946f7981124c3e9c7e49f6e1268a454ac6c3c9c4971d15cd23c
-
memory/532-67-0x0000000140000000-0x0000000140103000-memory.dmpFilesize
1.0MB
-
memory/532-62-0x0000000140000000-0x0000000140103000-memory.dmpFilesize
1.0MB
-
memory/532-61-0x000001AF9D690000-0x000001AF9D697000-memory.dmpFilesize
28KB
-
memory/2264-37-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2264-1-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2264-3-0x000001442EA10000-0x000001442EA17000-memory.dmpFilesize
28KB
-
memory/2784-81-0x000001DB66290000-0x000001DB66297000-memory.dmpFilesize
28KB
-
memory/2784-84-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3508-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3508-4-0x0000000007DC0000-0x0000000007DC1000-memory.dmpFilesize
4KB
-
memory/3508-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3508-31-0x00007FF81DE8A000-0x00007FF81DE8B000-memory.dmpFilesize
4KB
-
memory/3508-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3508-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3508-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3508-32-0x0000000007DA0000-0x0000000007DA7000-memory.dmpFilesize
28KB
-
memory/3508-33-0x00007FF81F0B0000-0x00007FF81F0C0000-memory.dmpFilesize
64KB
-
memory/3508-34-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3508-22-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3508-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3508-6-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3508-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/4160-50-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/4160-47-0x000001B570ED0000-0x000001B570ED7000-memory.dmpFilesize
28KB
-
memory/4160-44-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB