Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 23:46
Static task
static1
Behavioral task
behavioral1
Sample
b5cfd9845527c8ffe61743970ecb3358_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
b5cfd9845527c8ffe61743970ecb3358_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
b5cfd9845527c8ffe61743970ecb3358
-
SHA1
1ef2c055ef942f2a098cce8bdbe573ab090d1442
-
SHA256
859ccbb68d0b4bf473f0778957e8a02bf705c6bdde460b1c7e78097eda1c1018
-
SHA512
20bbf343af284589ff17b3e5b54c2b3be3da1193cccfb0d49d7c55668235b2aebd871cffcd388c20e3cd47e9899e63b3c7a886597d1de56be57cae56ee5ebce4
-
SSDEEP
24576:nVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:nV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3352-4-0x00000000023A0000-0x00000000023A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
shrpubw.exeSystemSettingsRemoveDevice.exeGamePanel.exepid process 2364 shrpubw.exe 3084 SystemSettingsRemoveDevice.exe 1892 GamePanel.exe -
Loads dropped DLL 3 IoCs
Processes:
shrpubw.exeSystemSettingsRemoveDevice.exeGamePanel.exepid process 2364 shrpubw.exe 3084 SystemSettingsRemoveDevice.exe 1892 GamePanel.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\lZ\\SystemSettingsRemoveDevice.exe" -
Processes:
rundll32.exeshrpubw.exeSystemSettingsRemoveDevice.exeGamePanel.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsRemoveDevice.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GamePanel.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3340 rundll32.exe 3340 rundll32.exe 3340 rundll32.exe 3340 rundll32.exe 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
pid process 3352 3352 3352 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
pid process 3352 3352 3352 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3352 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3352 wrote to memory of 2180 3352 shrpubw.exe PID 3352 wrote to memory of 2180 3352 shrpubw.exe PID 3352 wrote to memory of 2364 3352 shrpubw.exe PID 3352 wrote to memory of 2364 3352 shrpubw.exe PID 3352 wrote to memory of 400 3352 SystemSettingsRemoveDevice.exe PID 3352 wrote to memory of 400 3352 SystemSettingsRemoveDevice.exe PID 3352 wrote to memory of 3084 3352 SystemSettingsRemoveDevice.exe PID 3352 wrote to memory of 3084 3352 SystemSettingsRemoveDevice.exe PID 3352 wrote to memory of 3728 3352 GamePanel.exe PID 3352 wrote to memory of 3728 3352 GamePanel.exe PID 3352 wrote to memory of 1892 3352 GamePanel.exe PID 3352 wrote to memory of 1892 3352 GamePanel.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5cfd9845527c8ffe61743970ecb3358_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3340
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:2180
-
C:\Users\Admin\AppData\Local\eQR3z2\shrpubw.exeC:\Users\Admin\AppData\Local\eQR3z2\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2364
-
C:\Windows\system32\SystemSettingsRemoveDevice.exeC:\Windows\system32\SystemSettingsRemoveDevice.exe1⤵PID:400
-
C:\Users\Admin\AppData\Local\wA2A\SystemSettingsRemoveDevice.exeC:\Users\Admin\AppData\Local\wA2A\SystemSettingsRemoveDevice.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3084
-
C:\Windows\system32\GamePanel.exeC:\Windows\system32\GamePanel.exe1⤵PID:3728
-
C:\Users\Admin\AppData\Local\co2ArDL\GamePanel.exeC:\Users\Admin\AppData\Local\co2ArDL\GamePanel.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\co2ArDL\GamePanel.exeFilesize
1.2MB
MD5266f6a62c16f6a889218800762b137be
SHA131b9bd85a37bf0cbb38a1c30147b83671458fa72
SHA25671f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd
SHA512b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68
-
C:\Users\Admin\AppData\Local\co2ArDL\dwmapi.dllFilesize
1.2MB
MD5d6bdf4821b13e5b343705bc145b2e398
SHA1562a480dcbaff4da4031cd54c95814568d721568
SHA25604d999117f7f09bb49034cd1a11bd303bb100b3502c20de51ddd6720d32085cf
SHA512be97f2f87c8d6858b5d2790d43cd994dfa0c58a76ef3720b3d779eda763f48564c8eea56b53d57944822e0a2233fef6b50807b911ef22302b8374acee56a0d39
-
C:\Users\Admin\AppData\Local\eQR3z2\MFC42u.dllFilesize
1.2MB
MD52565a3ea6745e9a37e1588a1d15a0da9
SHA10011d50f5d25075a83eb4a7fdb4f14b7e86516b2
SHA256c0238500c71d2366d72f79679485fbde412f8c270c2164848776e50a5f66d7e2
SHA51223c12f60688652fce3364a9b576737beeb3666f9899b6753e9b098b420ad31985febe6276f886cd47c3fa9af50cce1c60a3af5612564925dfdd25060a3abfbc9
-
C:\Users\Admin\AppData\Local\eQR3z2\shrpubw.exeFilesize
59KB
MD59910d5c62428ec5f92b04abf9428eec9
SHA105f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b
SHA2566b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e
SHA51201be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb
-
C:\Users\Admin\AppData\Local\wA2A\DUI70.dllFilesize
1.4MB
MD53ebe858a47843bf4b4bce0af8f951789
SHA1fbe201af0d2136451c96069e96453704d48ba017
SHA2564f3d745aafbe8a6e38fc621dbf2563411262406d7606b9c0445832725a6e00fb
SHA512ff19a61938aa140a5a9aaa389e677d18b64f62b708237df949fba78578f9b3ac678156fe5c0ea2a24a44d6dc9f3b36936ca8ec19dc011144f4b6301ecc33d17f
-
C:\Users\Admin\AppData\Local\wA2A\SystemSettingsRemoveDevice.exeFilesize
39KB
MD57853f1c933690bb7c53c67151cbddeb0
SHA1d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6
SHA2569500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d
SHA512831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnkFilesize
1KB
MD5fd33fac1639f9f18d2c5af7fd49bce05
SHA1f1de68e037368af2365d1cb47aaa904554b9a627
SHA256c00b4b99f6abf7f82c97c6501444bcd1342942a647ea066a4ef472eb2e947322
SHA512323c88d2c2895e9150d82f0188814498f0de51a2d86ef700bae82f8568babbd18d7886e5fd287701cf453b743305ac225627493d35957b87e401790e9f97c924
-
memory/1892-79-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/1892-84-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/2364-48-0x0000020BC0D50000-0x0000020BC0D57000-memory.dmpFilesize
28KB
-
memory/2364-51-0x0000000140000000-0x0000000140137000-memory.dmpFilesize
1.2MB
-
memory/2364-45-0x0000000140000000-0x0000000140137000-memory.dmpFilesize
1.2MB
-
memory/3084-65-0x000001748E310000-0x000001748E317000-memory.dmpFilesize
28KB
-
memory/3084-62-0x0000000140000000-0x0000000140176000-memory.dmpFilesize
1.5MB
-
memory/3084-68-0x0000000140000000-0x0000000140176000-memory.dmpFilesize
1.5MB
-
memory/3340-0-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3340-3-0x0000025EDA860000-0x0000025EDA867000-memory.dmpFilesize
28KB
-
memory/3340-38-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-25-0x00000000008E0000-0x00000000008E7000-memory.dmpFilesize
28KB
-
memory/3352-6-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-7-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-8-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-10-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-11-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-12-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-14-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-24-0x00007FFEE968A000-0x00007FFEE968B000-memory.dmpFilesize
4KB
-
memory/3352-35-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-29-0x00007FFEE9890000-0x00007FFEE98A0000-memory.dmpFilesize
64KB
-
memory/3352-23-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-13-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-9-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3352-4-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB