Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 13:29

General

  • Target

    066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll

  • Size

    144KB

  • MD5

    066ebb71605984d91572879f47b59ce2

  • SHA1

    517cd0cfcaa1fcddde0941f6ca60a43ac9a64d6f

  • SHA256

    b3a182fe9fb0f36ee3a091fb1ae793356a9f2ab0e5c2145cc95f77c34383fc12

  • SHA512

    4c288c4b1f08ec2d5d00f9b311b9c8844962353fd3983f7300c69cac82740578e2a49af0f5046567545db9b9679fc4b2e87c8eae60d0eb91d0355dfbbd3f6953

  • SSDEEP

    3072:LllsWS5qsXv1MrgIUu2BAC+YXihevG4gZA07qjI6sZTr:7IRtIiBACJw6WHOjIhd

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 4 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 27 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe
        "C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Users\Admin\AppData\Local\Temp\f259401613.exe
          "C:\Users\Admin\AppData\Local\Temp\f259401613.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Writes to the Master Boot Record (MBR)
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\SysWOW64\razami.exe
            "C:\Windows\system32\razami.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Writes to the Master Boot Record (MBR)
            • Drops file in System32 directory
            • Modifies registry class
            PID:2624
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\winup2date.dll
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:2448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\cxaxrdn.exe

    Filesize

    3KB

    MD5

    8bafaf18a0578642f864ed8cbf982346

    SHA1

    4fcb8312c5b06ef3b04f21d10f77d90a70afd006

    SHA256

    eab5c0bbd9c46da00f0824e554628f34552e01ceeac2febc4f4343d1c40809fe

    SHA512

    ea43e9ef5b1459b09b36662c5681285bf7366fdce23bd50df9567f94af768157a3be3b378e0a35de249d342b11cd0184a73458a783bb935a6672199b1d18e9a4

  • C:\Windows\SysWOW64\peyehsi.dll

    Filesize

    14KB

    MD5

    2a9bc69d9030a614f4cce970d21ea89f

    SHA1

    92e44c26a75098cb7bd3cab1b0e2a34af6d0e4eb

    SHA256

    1f6aa1544d355f391a088747e1cf7acd5575e0c312a4e79a3602d591bcf552e0

    SHA512

    8c1dbffad8f1750f5dcd76a9035a8f6b6cc38269698b0bbb1290aa305dbb52106b726b0ac92efef82ffab40af074f85f5729dcea32afb014ac913ae5582fcfad

  • C:\Windows\SysWOW64\winup2date.dll

    Filesize

    5KB

    MD5

    0d133977906f46726940c0a1ed338f3b

    SHA1

    b0c2dddb856d66c78b1f30e3c997d335420add2a

    SHA256

    47839caf62ef254f18a584cd915c1e83b4fa29a9f43400f3766d9d49e9445dab

    SHA512

    7d8fc2385ca330a47dc5b04f440f214b2d315db490aa9ca8e7dc4aa5182bd1ada5a8a9f052d44ee439806589262798ecf01616d572bfcca322a5b18d2e31ec73

  • \Users\Admin\AppData\Local\Temp\f259401613.exe

    Filesize

    38KB

    MD5

    2bbc7cfcf052d0bd00821986864725ce

    SHA1

    6f55c6b0edc41eec83adf92fe92f787c29527744

    SHA256

    29ad1a9f9f2a37498622530517f50ebce1b65be578f7e4e1b36fa4ccce2c98ef

    SHA512

    9256fa02173880f240408f69b12416a837b1674c9092219dfa3689ea057b0fe97ad75f3c0e433b6b261ec1aef259b4a189318de480755d6f3ebb9d2056efb7c0

  • \Users\Admin\AppData\Local\Temp\razor_media_2_1.exe

    Filesize

    72KB

    MD5

    e8f00b7b09842ede8600080ba8b29ccf

    SHA1

    0a97cd19370d65596bf5c628b6d247bc9362a224

    SHA256

    71db06578766b005bc5b297baa6a34382dfcc5009086c1bfdfb9911574151dbf

    SHA512

    24eece275d92289e2be5597f9ade5bbe68e5c3d926fb97236fd8c7710dbedb4214926b9143eb77e464349d04e91c1fcf62ddd066565a3ddb3fe3f9538411c929

  • \Windows\SysWOW64\norop.dll

    Filesize

    7KB

    MD5

    0c7876e9c3d3a841ebbdc06dfc8e1ba1

    SHA1

    45cf786a3a241f35d8412449dade36c2910e20d6

    SHA256

    c9f68b243ddcad4542f26b97c7a17095ebefc397a7ee7bc20483063f82340496

    SHA512

    11a8a56c44b6843d68cbab8b95e2b6acfbb4e47d5c2f3db4a21d7bafce9f4f2edcb41c0355f675f333622b4401beb528de42ce7445991f86f53b127f8bab6b89

  • memory/2448-59-0x0000000010000000-0x0000000010008000-memory.dmp

    Filesize

    32KB

  • memory/2608-22-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2608-42-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2608-40-0x0000000000280000-0x0000000000296000-memory.dmp

    Filesize

    88KB

  • memory/2608-39-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

  • memory/2624-44-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/2624-56-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/3004-20-0x00000000021F0000-0x0000000002206000-memory.dmp

    Filesize

    88KB

  • memory/3004-21-0x00000000021F0000-0x0000000002206000-memory.dmp

    Filesize

    88KB