Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 00:10
Static task
static1
Behavioral task
behavioral1
Sample
96b832274e61991a1b255bdab51a546d_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
96b832274e61991a1b255bdab51a546d_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
96b832274e61991a1b255bdab51a546d
-
SHA1
a4ed93751ec4b20393f42b3c4f6ce45e71bd77c0
-
SHA256
f098328e0bc6d2b258c50a3edc49a757403d9e081245aacc8eac924606d66103
-
SHA512
5c7f7291112d0a35a132d353286e0ae04ab3d2335bf958cedc5f438a959f7fae79a68b22b0870936db9da72e42b15555e0262ccf257c207fd240fd7667f93282
-
SSDEEP
24576:MyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:MyWRKTt/QlPVp3h9
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3376-4-0x0000000008710000-0x0000000008711000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesProtection.exemstsc.exewextract.exepid process 1096 SystemPropertiesProtection.exe 1520 mstsc.exe 3736 wextract.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemPropertiesProtection.exemstsc.exewextract.exepid process 1096 SystemPropertiesProtection.exe 1520 mstsc.exe 3736 wextract.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\iXZRJakp42\\mstsc.exe" -
Processes:
SystemPropertiesProtection.exemstsc.exewextract.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wextract.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 3 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3764 rundll32.exe 3764 rundll32.exe 3764 rundll32.exe 3764 rundll32.exe 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 3376 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3376 Token: SeCreatePagefilePrivilege 3376 Token: SeShutdownPrivilege 3376 Token: SeCreatePagefilePrivilege 3376 Token: SeShutdownPrivilege 3376 Token: SeCreatePagefilePrivilege 3376 Token: SeShutdownPrivilege 3376 Token: SeCreatePagefilePrivilege 3376 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3376 3376 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3376 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3376 wrote to memory of 4036 3376 SystemPropertiesProtection.exe PID 3376 wrote to memory of 4036 3376 SystemPropertiesProtection.exe PID 3376 wrote to memory of 1096 3376 SystemPropertiesProtection.exe PID 3376 wrote to memory of 1096 3376 SystemPropertiesProtection.exe PID 3376 wrote to memory of 4416 3376 mstsc.exe PID 3376 wrote to memory of 4416 3376 mstsc.exe PID 3376 wrote to memory of 1520 3376 mstsc.exe PID 3376 wrote to memory of 1520 3376 mstsc.exe PID 3376 wrote to memory of 1668 3376 wextract.exe PID 3376 wrote to memory of 1668 3376 wextract.exe PID 3376 wrote to memory of 3736 3376 wextract.exe PID 3376 wrote to memory of 3736 3376 wextract.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\96b832274e61991a1b255bdab51a546d_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3764
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:4036
-
C:\Users\Admin\AppData\Local\VBphnY6b\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\VBphnY6b\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1096
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:4416
-
C:\Users\Admin\AppData\Local\Xq9Yhs5hc\mstsc.exeC:\Users\Admin\AppData\Local\Xq9Yhs5hc\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1520
-
C:\Windows\system32\wextract.exeC:\Windows\system32\wextract.exe1⤵PID:1668
-
C:\Users\Admin\AppData\Local\2HPdhY1\wextract.exeC:\Users\Admin\AppData\Local\2HPdhY1\wextract.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\2HPdhY1\VERSION.dllFilesize
1.2MB
MD59a6df4587eae5a70c7261bf3050def9a
SHA10bbb8e8b009d4182f4e7c20659aa61ca22ed3c51
SHA25610e24b8c35cac4bbf3a45bd7696db55ad80b1f5a7be42c9e3246036f1f746c97
SHA51218118e5f2d1f7badf60fc0355cb7833aff69b34c0c129d549c91faf174890e1dc1fac0e6f6906d7c6e700efebdef93c3b3d719902d4b7b1498f83176ab25a96b
-
C:\Users\Admin\AppData\Local\2HPdhY1\wextract.exeFilesize
143KB
MD556e501e3e49cfde55eb1caabe6913e45
SHA1ab2399cbf17dbee7b302bea49e40d4cee7caea76
SHA256fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0
SHA5122b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172
-
C:\Users\Admin\AppData\Local\VBphnY6b\SYSDM.CPLFilesize
1.2MB
MD5ffe1fe24033b93b9616d67dd38148507
SHA18e2762c79622997e347323a93eef027578bdbb4c
SHA25645de0e52efeb02710d3b68e70f80ef31055952ecb4ee030931463ff1e3ea3927
SHA51224fb191c86b13aee4b723284b00a7dc384feaef1303cb22658cac09669bb090feb9706770ef119313389c89a2239abab57846032df7aa712e081805afa02015f
-
C:\Users\Admin\AppData\Local\VBphnY6b\SystemPropertiesProtection.exeFilesize
82KB
MD526640d2d4fa912fc9a354ef6cfe500ff
SHA1a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA51226162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc
-
C:\Users\Admin\AppData\Local\Xq9Yhs5hc\WINMM.dllFilesize
1.2MB
MD58e1c01fbaf7c98bb2704a67e56e6e1d6
SHA19fb238056f758bf3126b2515905008c019e5b1b9
SHA256953815d9b34d2687911b2b885b934987ed53e0e6c519bb351ca07c48ac1a0777
SHA5127002695779c3a8f787362c404668a0c88161c5edfb00026e6ab501f5f32fe9adf17211d20b0ce5e8d74580ae8cb119c9224ae16b1f475594b57dc5b6d03b5f8e
-
C:\Users\Admin\AppData\Local\Xq9Yhs5hc\mstsc.exeFilesize
1.5MB
MD53a26640414cee37ff5b36154b1a0b261
SHA1e0c28b5fdf53a202a7543b67bbc97214bad490ed
SHA2561d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f
SHA51276fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnkFilesize
1KB
MD5ff99974eda9921108cbc863b4c2511b9
SHA146385723f9acecd8eb7117e44ee23c3020676837
SHA25608dcc186c9b9d43050b5c7d1586cad80c14357b73bb9eb229adfc4b3fc344f14
SHA51286686ae21f7f0e65363d42004cfe095ff04fb339196b83029a01f48c8d61979de4b99b5abee86a3a6f14a592d09ced5580e2caa3c5218c328a3fbb18663c771b
-
memory/1096-52-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1096-49-0x000001B63BBC0000-0x000001B63BBC7000-memory.dmpFilesize
28KB
-
memory/1096-46-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1520-63-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/1520-66-0x0000013BEFA60000-0x0000013BEFA67000-memory.dmpFilesize
28KB
-
memory/1520-69-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/3376-35-0x00007FFA145F0000-0x00007FFA14600000-memory.dmpFilesize
64KB
-
memory/3376-5-0x00007FFA12DBA000-0x00007FFA12DBB000-memory.dmpFilesize
4KB
-
memory/3376-9-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-8-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-7-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-4-0x0000000008710000-0x0000000008711000-memory.dmpFilesize
4KB
-
memory/3376-11-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-13-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-14-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-16-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-34-0x0000000008670000-0x0000000008677000-memory.dmpFilesize
28KB
-
memory/3376-10-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-36-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-25-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-15-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3376-12-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3736-80-0x00000213921B0000-0x00000213921B7000-memory.dmpFilesize
28KB
-
memory/3736-86-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/3764-1-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3764-39-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3764-3-0x0000016A0A500000-0x0000016A0A507000-memory.dmpFilesize
28KB