Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll
-
Size
144KB
-
MD5
066ebb71605984d91572879f47b59ce2
-
SHA1
517cd0cfcaa1fcddde0941f6ca60a43ac9a64d6f
-
SHA256
b3a182fe9fb0f36ee3a091fb1ae793356a9f2ab0e5c2145cc95f77c34383fc12
-
SHA512
4c288c4b1f08ec2d5d00f9b311b9c8844962353fd3983f7300c69cac82740578e2a49af0f5046567545db9b9679fc4b2e87c8eae60d0eb91d0355dfbbd3f6953
-
SSDEEP
3072:LllsWS5qsXv1MrgIUu2BAC+YXihevG4gZA07qjI6sZTr:7IRtIiBACJw6WHOjIhd
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000015d8f-31.dat acprotect behavioral1/files/0x0007000000015d5e-46.dat acprotect behavioral1/files/0x0007000000015659-57.dat acprotect behavioral1/memory/2448-59-0x0000000010000000-0x0000000010008000-memory.dmp acprotect -
Executes dropped EXE 3 IoCs
pid Process 3004 razor_media_2_1.exe 2608 f259401613.exe 2624 razami.exe -
Loads dropped DLL 9 IoCs
pid Process 2020 regsvr32.exe 2020 regsvr32.exe 3004 razor_media_2_1.exe 3004 razor_media_2_1.exe 2608 f259401613.exe 2608 f259401613.exe 2608 f259401613.exe 2624 razami.exe 2448 regsvr32.exe -
resource yara_rule behavioral1/files/0x0008000000014f71-11.dat upx behavioral1/memory/2608-22-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x0006000000015d8f-31.dat upx behavioral1/memory/2608-42-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/2624-44-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x0007000000015d5e-46.dat upx behavioral1/memory/2624-56-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x0007000000015659-57.dat upx behavioral1/memory/2448-59-0x0000000010000000-0x0000000010008000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KavSvc = "C:\\Windows\\system32\\razami.exe" razami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KavSvc = "C:\\Windows\\system32\\razami.exe" f259401613.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 f259401613.exe File opened for modification \??\PhysicalDrive0 razami.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\qgugb.dat f259401613.exe File created C:\Windows\SysWOW64\razami.exe f259401613.exe File created C:\Windows\SysWOW64\cxaxrdn.exe f259401613.exe File created C:\Windows\SysWOW64\qgugb.dat razami.exe File opened for modification C:\Windows\SysWOW64\peyehsi.dll razami.exe File created C:\Windows\SysWOW64\razami.exe razami.exe File opened for modification C:\Windows\SysWOW64\cxaxrdn.exe razami.exe File opened for modification C:\Windows\SysWOW64\norop.dll razami.exe File created C:\Windows\SysWOW64\wmconfig.cpl razor_media_2_1.exe File created C:\Windows\SysWOW64\winup2date.dll razor_media_2_1.exe File created C:\Windows\SysWOW64\peyehsi.dll f259401613.exe File created C:\Windows\SysWOW64\norop.dll f259401613.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\unadbeh.exe razor_media_2_1.exe File opened for modification C:\Windows\arnrh.dll f259401613.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\ProgId\ = "rfxfuoei.class" razami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gsystmnq\ = "{273d3bca-9b4a-4afc-9481-b22c629fa263}" razami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\ = "rfxfuoei.class" razami.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\InProcServer32 razami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\InProcServer32\ThreadingModel = "Apartment" razami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\ = "rfxfuoei.class" f259401613.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\ProgId razami.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gsystmnq razami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ = "C:\\Windows\\SysWow64\\winup2date.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f} f259401613.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId\ = "Columns class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\ProgId f259401613.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gsystmnq f259401613.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "Columns class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\InProcServer32 f259401613.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\InProcServer32\ = "C:\\Windows\\SysWow64\\norop.dll" f259401613.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\ProgId\ = "rfxfuoei.class" f259401613.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263}\InProcServer32\ = "C:\\Windows\\SysWow64\\norop.dll" razami.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{874e03a6-9c82-4e39-a9af-d2283ff7651f}\InProcServer32\ThreadingModel = "Apartment" f259401613.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gsystmnq\ = "{874e03a6-9c82-4e39-a9af-d2283ff7651f}" f259401613.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{273d3bca-9b4a-4afc-9481-b22c629fa263} razami.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2020 2032 regsvr32.exe 28 PID 2032 wrote to memory of 2020 2032 regsvr32.exe 28 PID 2032 wrote to memory of 2020 2032 regsvr32.exe 28 PID 2032 wrote to memory of 2020 2032 regsvr32.exe 28 PID 2032 wrote to memory of 2020 2032 regsvr32.exe 28 PID 2032 wrote to memory of 2020 2032 regsvr32.exe 28 PID 2032 wrote to memory of 2020 2032 regsvr32.exe 28 PID 2020 wrote to memory of 3004 2020 regsvr32.exe 29 PID 2020 wrote to memory of 3004 2020 regsvr32.exe 29 PID 2020 wrote to memory of 3004 2020 regsvr32.exe 29 PID 2020 wrote to memory of 3004 2020 regsvr32.exe 29 PID 3004 wrote to memory of 2608 3004 razor_media_2_1.exe 30 PID 3004 wrote to memory of 2608 3004 razor_media_2_1.exe 30 PID 3004 wrote to memory of 2608 3004 razor_media_2_1.exe 30 PID 3004 wrote to memory of 2608 3004 razor_media_2_1.exe 30 PID 2608 wrote to memory of 2624 2608 f259401613.exe 31 PID 2608 wrote to memory of 2624 2608 f259401613.exe 31 PID 2608 wrote to memory of 2624 2608 f259401613.exe 31 PID 2608 wrote to memory of 2624 2608 f259401613.exe 31 PID 3004 wrote to memory of 2448 3004 razor_media_2_1.exe 32 PID 3004 wrote to memory of 2448 3004 razor_media_2_1.exe 32 PID 3004 wrote to memory of 2448 3004 razor_media_2_1.exe 32 PID 3004 wrote to memory of 2448 3004 razor_media_2_1.exe 32 PID 3004 wrote to memory of 2448 3004 razor_media_2_1.exe 32 PID 3004 wrote to memory of 2448 3004 razor_media_2_1.exe 32 PID 3004 wrote to memory of 2448 3004 razor_media_2_1.exe 32
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe"C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\f259401613.exe"C:\Users\Admin\AppData\Local\Temp\f259401613.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\razami.exe"C:\Windows\system32\razami.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies registry class
PID:2624
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\winup2date.dll4⤵
- Loads dropped DLL
- Modifies registry class
PID:2448
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58bafaf18a0578642f864ed8cbf982346
SHA14fcb8312c5b06ef3b04f21d10f77d90a70afd006
SHA256eab5c0bbd9c46da00f0824e554628f34552e01ceeac2febc4f4343d1c40809fe
SHA512ea43e9ef5b1459b09b36662c5681285bf7366fdce23bd50df9567f94af768157a3be3b378e0a35de249d342b11cd0184a73458a783bb935a6672199b1d18e9a4
-
Filesize
14KB
MD52a9bc69d9030a614f4cce970d21ea89f
SHA192e44c26a75098cb7bd3cab1b0e2a34af6d0e4eb
SHA2561f6aa1544d355f391a088747e1cf7acd5575e0c312a4e79a3602d591bcf552e0
SHA5128c1dbffad8f1750f5dcd76a9035a8f6b6cc38269698b0bbb1290aa305dbb52106b726b0ac92efef82ffab40af074f85f5729dcea32afb014ac913ae5582fcfad
-
Filesize
5KB
MD50d133977906f46726940c0a1ed338f3b
SHA1b0c2dddb856d66c78b1f30e3c997d335420add2a
SHA25647839caf62ef254f18a584cd915c1e83b4fa29a9f43400f3766d9d49e9445dab
SHA5127d8fc2385ca330a47dc5b04f440f214b2d315db490aa9ca8e7dc4aa5182bd1ada5a8a9f052d44ee439806589262798ecf01616d572bfcca322a5b18d2e31ec73
-
Filesize
38KB
MD52bbc7cfcf052d0bd00821986864725ce
SHA16f55c6b0edc41eec83adf92fe92f787c29527744
SHA25629ad1a9f9f2a37498622530517f50ebce1b65be578f7e4e1b36fa4ccce2c98ef
SHA5129256fa02173880f240408f69b12416a837b1674c9092219dfa3689ea057b0fe97ad75f3c0e433b6b261ec1aef259b4a189318de480755d6f3ebb9d2056efb7c0
-
Filesize
72KB
MD5e8f00b7b09842ede8600080ba8b29ccf
SHA10a97cd19370d65596bf5c628b6d247bc9362a224
SHA25671db06578766b005bc5b297baa6a34382dfcc5009086c1bfdfb9911574151dbf
SHA51224eece275d92289e2be5597f9ade5bbe68e5c3d926fb97236fd8c7710dbedb4214926b9143eb77e464349d04e91c1fcf62ddd066565a3ddb3fe3f9538411c929
-
Filesize
7KB
MD50c7876e9c3d3a841ebbdc06dfc8e1ba1
SHA145cf786a3a241f35d8412449dade36c2910e20d6
SHA256c9f68b243ddcad4542f26b97c7a17095ebefc397a7ee7bc20483063f82340496
SHA51211a8a56c44b6843d68cbab8b95e2b6acfbb4e47d5c2f3db4a21d7bafce9f4f2edcb41c0355f675f333622b4401beb528de42ce7445991f86f53b127f8bab6b89