Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
a20a9ea0f069c29005b8e3b222b43f4a_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
a20a9ea0f069c29005b8e3b222b43f4a_JaffaCakes118.dll
-
Size
986KB
-
MD5
a20a9ea0f069c29005b8e3b222b43f4a
-
SHA1
94b161727a86e53b73b5886af2653912f4a65907
-
SHA256
6fb6d58a0d0e3b321319b4fed22048e320e7cdab695bd673c1162bb14e94a960
-
SHA512
7b9ab0b25f6dde226a950bf4e0ac38d18b7686283bf40dd0c175e29e91571f76cf937612988ff12ab28e75badd69f133bf3f8a1456d2a63c34c267f0b074b9d9
-
SSDEEP
24576:CVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:CV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1268-5-0x0000000002190000-0x0000000002191000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exesdclt.exelpksetup.exepid process 2588 winlogon.exe 588 sdclt.exe 2804 lpksetup.exe -
Loads dropped DLL 7 IoCs
Processes:
winlogon.exesdclt.exelpksetup.exepid process 1268 2588 winlogon.exe 1268 588 sdclt.exe 1268 2804 lpksetup.exe 1268 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gqwtkfbnxxlbs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\E8B1Xpe7EW\\sdclt.exe" -
Processes:
sdclt.exelpksetup.exerundll32.exewinlogon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lpksetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1268 wrote to memory of 2644 1268 winlogon.exe PID 1268 wrote to memory of 2644 1268 winlogon.exe PID 1268 wrote to memory of 2644 1268 winlogon.exe PID 1268 wrote to memory of 2588 1268 winlogon.exe PID 1268 wrote to memory of 2588 1268 winlogon.exe PID 1268 wrote to memory of 2588 1268 winlogon.exe PID 1268 wrote to memory of 1804 1268 sdclt.exe PID 1268 wrote to memory of 1804 1268 sdclt.exe PID 1268 wrote to memory of 1804 1268 sdclt.exe PID 1268 wrote to memory of 588 1268 sdclt.exe PID 1268 wrote to memory of 588 1268 sdclt.exe PID 1268 wrote to memory of 588 1268 sdclt.exe PID 1268 wrote to memory of 1664 1268 lpksetup.exe PID 1268 wrote to memory of 1664 1268 lpksetup.exe PID 1268 wrote to memory of 1664 1268 lpksetup.exe PID 1268 wrote to memory of 2804 1268 lpksetup.exe PID 1268 wrote to memory of 2804 1268 lpksetup.exe PID 1268 wrote to memory of 2804 1268 lpksetup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a20a9ea0f069c29005b8e3b222b43f4a_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1200
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵PID:2644
-
C:\Users\Admin\AppData\Local\3rQFchl\winlogon.exeC:\Users\Admin\AppData\Local\3rQFchl\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2588
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:1804
-
C:\Users\Admin\AppData\Local\bqYim2\sdclt.exeC:\Users\Admin\AppData\Local\bqYim2\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:588
-
C:\Windows\system32\lpksetup.exeC:\Windows\system32\lpksetup.exe1⤵PID:1664
-
C:\Users\Admin\AppData\Local\xfpSKYP1S\lpksetup.exeC:\Users\Admin\AppData\Local\xfpSKYP1S\lpksetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\3rQFchl\winlogon.exeFilesize
381KB
MD51151b1baa6f350b1db6598e0fea7c457
SHA1434856b834baf163c5ea4d26434eeae775a507fb
SHA256b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49
SHA512df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab
-
C:\Users\Admin\AppData\Local\xfpSKYP1S\slc.dllFilesize
987KB
MD59bdbe8310cc0cd89c904f203f3f6a0b3
SHA14f97af8cfcd76965bf6b27ea8aa20fe1c0eb77cb
SHA256f6cba8ce9827eb593699a1fea1bdabb3dadd664f5c1869f3653360f21ba42cf9
SHA5127920e49fefad3b1daeccadbea0fcdee62cb070c3b75f1bac302c01ebe89d3f4ad78c94c7aa00c2b8a4d2f5b860bb3e5eff483decc5a08837c9353dab7e5f9e50
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Egmip.lnkFilesize
1005B
MD56cb8cff0a51b9ad7188979acde3f7349
SHA13a44945e9e8d5f894cb5f112e724b1b412f78805
SHA2567537e39f6177dc5c4d63a234162173273fa9ae0875553c26d29642ece2efe547
SHA512775e09eefc0401f6b2fef404cddb888f9146139cb014de444af584cf34ebc2136d12d57c09deb2bcacb98dc7b657abf16d18ffe5ebc2f348c7b51fab0db68023
-
\Users\Admin\AppData\Local\3rQFchl\WINSTA.dllFilesize
991KB
MD549ace43f14352c10e075939dcb9f1e55
SHA1a40640c7d8bcad131e5d4c196bf45b481d1cdbee
SHA256516edc756143fe05e008e8350e83210355ab6deaa76e324aa7f8e6652d90b7bd
SHA512f9513c5fa070162e74b79de0c4bfe63302aa3fb344262bdaa58fd8ec70fda9b0f85b181b8b238e56b2376edbb2ba31f6dd70334afc838b40449a0ee028584b91
-
\Users\Admin\AppData\Local\bqYim2\sdclt.exeFilesize
1.2MB
MD5cdebd55ffbda3889aa2a8ce52b9dc097
SHA14b3cbfff5e57fa0cb058e93e445e3851063646cf
SHA25661bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd
SHA5122af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13
-
\Users\Admin\AppData\Local\bqYim2\slc.dllFilesize
987KB
MD5d900217c147446cd999d8632d89b1908
SHA1bae124d5f9c264109b2c8ed1d7c270d579e9dce3
SHA256c0a961526337c6ed1ea2bfa324bc7c599d2c2117c6818044fdf167929b879cf8
SHA512b80bc5d78dfc40c647687a1ef796c4d5df0019722893e73016df0df6b7d633494c395686afe71764d7aaf8f2a8f3119019d89d2e5af6558397fb986c6246baad
-
\Users\Admin\AppData\Local\xfpSKYP1S\lpksetup.exeFilesize
638KB
MD550d28f3f8b7c17056520c80a29efe17c
SHA11b1e62be0a0bdc9aec2e91842c35381297d8f01e
SHA25671613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f
SHA51292bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861
-
memory/588-74-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/588-79-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/588-77-0x00000000FFB60000-0x00000000FFC9A000-memory.dmpFilesize
1.2MB
-
memory/588-72-0x0000000000280000-0x0000000000287000-memory.dmpFilesize
28KB
-
memory/1200-44-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1200-1-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1200-0-0x00000000000A0000-0x00000000000A7000-memory.dmpFilesize
28KB
-
memory/1268-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1268-36-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1268-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1268-35-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1268-26-0x00000000775D0000-0x00000000775D2000-memory.dmpFilesize
8KB
-
memory/1268-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1268-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1268-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1268-71-0x0000000077336000-0x0000000077337000-memory.dmpFilesize
4KB
-
memory/1268-4-0x0000000077336000-0x0000000077337000-memory.dmpFilesize
4KB
-
memory/1268-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1268-25-0x0000000077441000-0x0000000077442000-memory.dmpFilesize
4KB
-
memory/1268-5-0x0000000002190000-0x0000000002191000-memory.dmpFilesize
4KB
-
memory/1268-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1268-23-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1268-24-0x0000000002170000-0x0000000002177000-memory.dmpFilesize
28KB
-
memory/1268-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2588-52-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/2588-57-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/2588-55-0x0000000000500000-0x0000000000507000-memory.dmpFilesize
28KB
-
memory/2804-91-0x00000000000F0000-0x00000000000F7000-memory.dmpFilesize
28KB
-
memory/2804-97-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB