Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 06:08
Static task
static1
Behavioral task
behavioral1
Sample
b20e9a37b5d638259d80111028dae1da_JaffaCakes118.dll
Resource
win7-20240220-en
General
-
Target
b20e9a37b5d638259d80111028dae1da_JaffaCakes118.dll
-
Size
990KB
-
MD5
b20e9a37b5d638259d80111028dae1da
-
SHA1
27499b1c4232cd3b06e687aa42bdf0b404b83583
-
SHA256
46c5de5439adf19819d78a52bbdbc97c4c63e00049e019ce437c1c08ed140f33
-
SHA512
d4f36bce2c25de4a48b8de4e32c5f938c506beeb10a6f39f1f0bfeeb30b1813ef0492b50c7e25055e0a6a72335c24ea4e1a3d6873f94ccfe69cc6695e790dd0f
-
SSDEEP
24576:jVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:jV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1188-5-0x0000000002490000-0x0000000002491000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
DeviceDisplayObjectProvider.exeunregmp2.exeSystemPropertiesRemote.exepid process 2324 DeviceDisplayObjectProvider.exe 1448 unregmp2.exe 2156 SystemPropertiesRemote.exe -
Loads dropped DLL 7 IoCs
Processes:
DeviceDisplayObjectProvider.exeunregmp2.exeSystemPropertiesRemote.exepid process 1188 2324 DeviceDisplayObjectProvider.exe 1188 1448 unregmp2.exe 1188 2156 SystemPropertiesRemote.exe 1188 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ydmmtcuy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\RDCPDO~1\\unregmp2.exe" -
Processes:
rundll32.exeDeviceDisplayObjectProvider.exeunregmp2.exeSystemPropertiesRemote.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceDisplayObjectProvider.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesRemote.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1188 wrote to memory of 2468 1188 DeviceDisplayObjectProvider.exe PID 1188 wrote to memory of 2468 1188 DeviceDisplayObjectProvider.exe PID 1188 wrote to memory of 2468 1188 DeviceDisplayObjectProvider.exe PID 1188 wrote to memory of 2324 1188 DeviceDisplayObjectProvider.exe PID 1188 wrote to memory of 2324 1188 DeviceDisplayObjectProvider.exe PID 1188 wrote to memory of 2324 1188 DeviceDisplayObjectProvider.exe PID 1188 wrote to memory of 356 1188 unregmp2.exe PID 1188 wrote to memory of 356 1188 unregmp2.exe PID 1188 wrote to memory of 356 1188 unregmp2.exe PID 1188 wrote to memory of 1448 1188 unregmp2.exe PID 1188 wrote to memory of 1448 1188 unregmp2.exe PID 1188 wrote to memory of 1448 1188 unregmp2.exe PID 1188 wrote to memory of 1552 1188 SystemPropertiesRemote.exe PID 1188 wrote to memory of 1552 1188 SystemPropertiesRemote.exe PID 1188 wrote to memory of 1552 1188 SystemPropertiesRemote.exe PID 1188 wrote to memory of 2156 1188 SystemPropertiesRemote.exe PID 1188 wrote to memory of 2156 1188 SystemPropertiesRemote.exe PID 1188 wrote to memory of 2156 1188 SystemPropertiesRemote.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b20e9a37b5d638259d80111028dae1da_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2004
-
C:\Windows\system32\DeviceDisplayObjectProvider.exeC:\Windows\system32\DeviceDisplayObjectProvider.exe1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Ayig4DjEg\DeviceDisplayObjectProvider.exeC:\Users\Admin\AppData\Local\Ayig4DjEg\DeviceDisplayObjectProvider.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2324
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:356
-
C:\Users\Admin\AppData\Local\PAolvN\unregmp2.exeC:\Users\Admin\AppData\Local\PAolvN\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1448
-
C:\Windows\system32\SystemPropertiesRemote.exeC:\Windows\system32\SystemPropertiesRemote.exe1⤵PID:1552
-
C:\Users\Admin\AppData\Local\gf4ZXX9\SystemPropertiesRemote.exeC:\Users\Admin\AppData\Local\gf4ZXX9\SystemPropertiesRemote.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Ayig4DjEg\XmlLite.dllFilesize
990KB
MD519cc48f7898637ab24ecde255354d075
SHA1a074cc21d107bac7aa09215a23e63e42c8c8ad39
SHA2562f426588d6017a3054561002dfd79b4f27d5e4e18ac7fdf6fc961e5e0232f0d7
SHA512f447986062d79e9dc0c98f292f3a9fc0a6b5d4051af8f4cefc3700ea1f0c87575d569700b304e1dd1369a23c151f049d9236018118041f3a84025011899a55ec
-
C:\Users\Admin\AppData\Local\PAolvN\slc.dllFilesize
991KB
MD548d8cf641444daf08659fb2c56d1ded5
SHA1759bac584ace4dd04d011be79cd45d946b68e9d8
SHA256c26e8790963d2000f9b2bceda8a3498c30d66c062d55cab0df861f3dd512f22b
SHA51219a16ab691070ddc907d95c8980c252eb51c2941d6621355e5afedb52e5e500389824343e3ef3e92f4ee7c7b9ee3c16fac061930315255dabef131921733bd6c
-
C:\Users\Admin\AppData\Local\gf4ZXX9\SYSDM.CPLFilesize
990KB
MD5f564bb7dc94c734762dfc5ac24b3183b
SHA16fd40fe2b75cb61005d3af4c29262384ceab7102
SHA2564bbabc5d05c13be38a2a33638b3b15e6a6070e75e5d2b26aecd836f6421bb8d1
SHA5122487f3245631f2436e53c0947db917cabbd8a17c5f578245e1c39efa542e8e32a270dc83a7dcc080aa59141e855f1fc20c6616cb9cbd02646b746165f42a804a
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piadwmdtymfdd.lnkFilesize
1KB
MD5cfd76a0ee6a8303e55d39f3a6d32e62e
SHA143c1203b3fc5f066aab2b3ae012798c3b15fae04
SHA256de483df2b14eae004c4d203b96be6719d85694d93106bb0e4c727e1480d985dd
SHA5124b0be8ae68c575b83c2577afa27fd0fce99b52b6a8c4a7d35f56a2b0c4e139bc38a943451b5c709e4a94cf3eecb22dfc2b4d2a8cc662e6367e543ea651c6658f
-
\Users\Admin\AppData\Local\Ayig4DjEg\DeviceDisplayObjectProvider.exeFilesize
109KB
MD57e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf
-
\Users\Admin\AppData\Local\PAolvN\unregmp2.exeFilesize
316KB
MD564b328d52dfc8cda123093e3f6e4c37c
SHA1f68f45b21b911906f3aa982e64504e662a92e5ab
SHA2567d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1
SHA512e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00
-
\Users\Admin\AppData\Local\gf4ZXX9\SystemPropertiesRemote.exeFilesize
80KB
MD5d0d7ac869aa4e179da2cc333f0440d71
SHA1e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA2565762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA5121808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7
-
memory/1188-35-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-24-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-25-0x00000000773F1000-0x00000000773F2000-memory.dmpFilesize
4KB
-
memory/1188-19-0x0000000002470000-0x0000000002477000-memory.dmpFilesize
28KB
-
memory/1188-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-28-0x0000000077580000-0x0000000077582000-memory.dmpFilesize
8KB
-
memory/1188-4-0x00000000772E6000-0x00000000772E7000-memory.dmpFilesize
4KB
-
memory/1188-36-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-5-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/1188-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1188-63-0x00000000772E6000-0x00000000772E7000-memory.dmpFilesize
4KB
-
memory/1448-74-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/1448-77-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2004-44-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2004-3-0x0000000000530000-0x0000000000537000-memory.dmpFilesize
28KB
-
memory/2004-1-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2156-94-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2324-58-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/2324-55-0x00000000000F0000-0x00000000000F7000-memory.dmpFilesize
28KB
-
memory/2324-52-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB