Analysis
-
max time kernel
150s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 13:22
Static task
static1
Behavioral task
behavioral1
Sample
bc26b565bcd6a66c51368a58f663d94b_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
bc26b565bcd6a66c51368a58f663d94b_JaffaCakes118.dll
-
Size
1.6MB
-
MD5
bc26b565bcd6a66c51368a58f663d94b
-
SHA1
95d83abdaca04ba954e3fde7088422a3cd2622e4
-
SHA256
5f4efeb2f3136e117f51044a6122e1089daae2908d27492dbec3094b6719fa58
-
SHA512
b7eae94f31e4696e42ebf457aee957a2787ea07abb1b1dac3fcdedb8495e5f588c709f75134519c285f6162cfc1f6dcbe11f285a71e7d140d3f6193b4b04477c
-
SSDEEP
24576:WuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:W9cKrUqZWLAcU
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3384-4-0x0000000002E20000-0x0000000002E21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msinfo32.exeSystemPropertiesDataExecutionPrevention.exeNetplwiz.exepid process 3380 msinfo32.exe 6040 SystemPropertiesDataExecutionPrevention.exe 5432 Netplwiz.exe -
Loads dropped DLL 3 IoCs
Processes:
msinfo32.exeSystemPropertiesDataExecutionPrevention.exeNetplwiz.exepid process 3380 msinfo32.exe 6040 SystemPropertiesDataExecutionPrevention.exe 5432 Netplwiz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\h67S51RLcP\\SystemPropertiesDataExecutionPrevention.exe" -
Processes:
Netplwiz.exerundll32.exemsinfo32.exeSystemPropertiesDataExecutionPrevention.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4532 rundll32.exe 4532 rundll32.exe 4532 rundll32.exe 4532 rundll32.exe 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 3384 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
pid process 3384 3384 3384 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
pid process 3384 3384 3384 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3384 wrote to memory of 1576 3384 msinfo32.exe PID 3384 wrote to memory of 1576 3384 msinfo32.exe PID 3384 wrote to memory of 3380 3384 msinfo32.exe PID 3384 wrote to memory of 3380 3384 msinfo32.exe PID 3384 wrote to memory of 1492 3384 SystemPropertiesDataExecutionPrevention.exe PID 3384 wrote to memory of 1492 3384 SystemPropertiesDataExecutionPrevention.exe PID 3384 wrote to memory of 6040 3384 SystemPropertiesDataExecutionPrevention.exe PID 3384 wrote to memory of 6040 3384 SystemPropertiesDataExecutionPrevention.exe PID 3384 wrote to memory of 4176 3384 Netplwiz.exe PID 3384 wrote to memory of 4176 3384 Netplwiz.exe PID 3384 wrote to memory of 5432 3384 Netplwiz.exe PID 3384 wrote to memory of 5432 3384 Netplwiz.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bc26b565bcd6a66c51368a58f663d94b_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:1576
-
C:\Users\Admin\AppData\Local\DD0\msinfo32.exeC:\Users\Admin\AppData\Local\DD0\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3380
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:1492
-
C:\Users\Admin\AppData\Local\PmZ\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\PmZ\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:6040
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:4176
-
C:\Users\Admin\AppData\Local\bjmY\Netplwiz.exeC:\Users\Admin\AppData\Local\bjmY\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\DD0\MFC42u.dllFilesize
1.6MB
MD5a5282daf766460dec0596ef413046735
SHA112217fce414d9d0cce1c3c197ba65064e412097e
SHA25638ee53981cd4ca267415287f269499fe9c13a1f99617d33282fb03d3ee6ef394
SHA512ad9bf332de111f0c7737b72200587ee79bf02b7b5fa558bcf47eec78ee85a5519eb1a9d5fad45a81bb549083a2b53069ea37cfce5bb32c9bb8bcfc67114d5f26
-
C:\Users\Admin\AppData\Local\DD0\msinfo32.exeFilesize
376KB
MD50aed91da63713bf9f881b03a604a1c9d
SHA1b1b2d292cb1a4c13dc243b5eab13afb316a28b9a
SHA2565cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14
SHA51204bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03
-
C:\Users\Admin\AppData\Local\PmZ\SYSDM.CPLFilesize
1.6MB
MD53f9160dd319dc0b3ce31dd4c1576e73a
SHA1dc0e06c8325d311d53686d684ca4751332bedfb4
SHA2569fdf7a1e479b59e2e74ae3c362b559ed0cc9a8f0256e7a1d27cdac99c155e065
SHA5122f6e728eb0e539ea36f6dca853c70f2fcc8e2ba955b9199bc205867d65d123b2d33d86c0a07e9113cd3c09b0305a81f1314614f476e2539755f023761fcb835f
-
C:\Users\Admin\AppData\Local\PmZ\SystemPropertiesDataExecutionPrevention.exeFilesize
82KB
MD5de58532954c2704f2b2309ffc320651d
SHA10a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA2561f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed
-
C:\Users\Admin\AppData\Local\bjmY\NETPLWIZ.dllFilesize
1.6MB
MD59133234302a1e47adab318e43008e81b
SHA17b733eebcb2d3d6fe8fdfe7914582c759baadc8c
SHA256525bf6e4e7e87374f9cfe49eba88d5827713df0ecf6d3156e3875e6f7d69b720
SHA512f03d26f0a35d1fbabb8ca14e4861ee3e0c1582b42a7fed22c62632e78e0da2686eeaeae06cff4e5cd8c4a9efc11643851d5957fc45eba89578de96dfec5b4d1a
-
C:\Users\Admin\AppData\Local\bjmY\Netplwiz.exeFilesize
40KB
MD5520a7b7065dcb406d7eca847b81fd4ec
SHA1d1b3b046a456630f65d482ff856c71dfd2f335c8
SHA2568323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d
SHA5127aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnkFilesize
1KB
MD552fc3c6776f0990989cf420706e8c132
SHA1385ef96ec76db248598013ddd078d6b6ae7247ef
SHA2567bff7cd8e1b5a44e3dac77f37ca4b9743c12646f6c5685241d07716534446de5
SHA512a96f3fb9b146a45d0d64e6c4398810f5b17c1f3ae17288f6e7f1d685c5284ea4e31c9353e1c1470bdcd701ece8db83123ed268fd266db40b0a8bf50025e201be
-
memory/3380-54-0x00007FFA121E0000-0x00007FFA12388000-memory.dmpFilesize
1.7MB
-
memory/3380-51-0x000001F0FAFA0000-0x000001F0FAFA7000-memory.dmpFilesize
28KB
-
memory/3380-48-0x00007FFA121E0000-0x00007FFA12388000-memory.dmpFilesize
1.7MB
-
memory/3384-35-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-8-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-17-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-14-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-15-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-13-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-11-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-12-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-9-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-10-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-7-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-4-0x0000000002E20000-0x0000000002E21000-memory.dmpFilesize
4KB
-
memory/3384-38-0x00007FFA208BA000-0x00007FFA208BB000-memory.dmpFilesize
4KB
-
memory/3384-18-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-39-0x0000000000F60000-0x0000000000F67000-memory.dmpFilesize
28KB
-
memory/3384-40-0x00007FFA21790000-0x00007FFA217A0000-memory.dmpFilesize
64KB
-
memory/3384-26-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-16-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/3384-6-0x0000000140000000-0x00000001401A1000-memory.dmpFilesize
1.6MB
-
memory/4532-3-0x000001D856CF0000-0x000001D856CF7000-memory.dmpFilesize
28KB
-
memory/4532-41-0x00007FFA123F0000-0x00007FFA12591000-memory.dmpFilesize
1.6MB
-
memory/4532-0-0x00007FFA123F0000-0x00007FFA12591000-memory.dmpFilesize
1.6MB
-
memory/5432-85-0x000002A026940000-0x000002A026947000-memory.dmpFilesize
28KB
-
memory/5432-88-0x00007FFA121E0000-0x00007FFA12382000-memory.dmpFilesize
1.6MB
-
memory/6040-66-0x00007FFA121E0000-0x00007FFA12382000-memory.dmpFilesize
1.6MB
-
memory/6040-71-0x00007FFA121E0000-0x00007FFA12382000-memory.dmpFilesize
1.6MB
-
memory/6040-65-0x0000025353DD0000-0x0000025353DD7000-memory.dmpFilesize
28KB