Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll
-
Size
144KB
-
MD5
066ebb71605984d91572879f47b59ce2
-
SHA1
517cd0cfcaa1fcddde0941f6ca60a43ac9a64d6f
-
SHA256
b3a182fe9fb0f36ee3a091fb1ae793356a9f2ab0e5c2145cc95f77c34383fc12
-
SHA512
4c288c4b1f08ec2d5d00f9b311b9c8844962353fd3983f7300c69cac82740578e2a49af0f5046567545db9b9679fc4b2e87c8eae60d0eb91d0355dfbbd3f6953
-
SSDEEP
3072:LllsWS5qsXv1MrgIUu2BAC+YXihevG4gZA07qjI6sZTr:7IRtIiBACJw6WHOjIhd
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000700000002348a-27.dat acprotect behavioral2/files/0x0007000000023482-34.dat acprotect behavioral2/files/0x0007000000023485-39.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation razor_media_2_1.exe -
Executes dropped EXE 3 IoCs
pid Process 912 razor_media_2_1.exe 3096 f240609859.exe 5004 ivvlkr.exe -
Loads dropped DLL 3 IoCs
pid Process 3096 f240609859.exe 776 regsvr32.exe 5004 ivvlkr.exe -
resource yara_rule behavioral2/files/0x0007000000023480-12.dat upx behavioral2/memory/3096-18-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x000700000002348a-27.dat upx behavioral2/memory/5004-37-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/3096-36-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023482-34.dat upx behavioral2/files/0x0007000000023485-39.dat upx behavioral2/memory/5004-49-0x0000000000400000-0x0000000000416000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KavSvc = "C:\\Windows\\system32\\ivvlkr.exe" f240609859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KavSvc = "C:\\Windows\\system32\\ivvlkr.exe" ivvlkr.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 f240609859.exe File opened for modification \??\PhysicalDrive0 ivvlkr.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\sttbrpt.dll f240609859.exe File created C:\Windows\SysWOW64\wmconfig.cpl razor_media_2_1.exe File created C:\Windows\SysWOW64\daaqu.dll f240609859.exe File created C:\Windows\SysWOW64\ivvlkr.exe ivvlkr.exe File opened for modification C:\Windows\SysWOW64\daaqu.dll ivvlkr.exe File created C:\Windows\SysWOW64\winup2date.dll razor_media_2_1.exe File created C:\Windows\SysWOW64\wppyk.dat f240609859.exe File created C:\Windows\SysWOW64\wppyk.dat ivvlkr.exe File opened for modification C:\Windows\SysWOW64\sttbrpt.dll ivvlkr.exe File opened for modification C:\Windows\SysWOW64\dbbqmcb.exe ivvlkr.exe File created C:\Windows\SysWOW64\ivvlkr.exe f240609859.exe File created C:\Windows\SysWOW64\dbbqmcb.exe f240609859.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\unadbeh.exe razor_media_2_1.exe File opened for modification C:\Windows\mjjvz.dll f240609859.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ = "C:\\Windows\\SysWow64\\winup2date.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\InProcServer32\ThreadingModel = "Apartment" ivvlkr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\ = "oeejrreu.class" f240609859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\ProgId\ = "oeejrreu.class" f240609859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "Columns class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\ProgId f240609859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\ = "oeejrreu.class" ivvlkr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\InProcServer32 ivvlkr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\InProcServer32\ = "C:\\Windows\\SysWow64\\daaqu.dll" ivvlkr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c} ivvlkr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mffkxgft ivvlkr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ = "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mffkxgft\ = "{39a8bf4b-af19-4c4f-92c4-9e07419f372c}" ivvlkr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId\ = "Columns class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\ProgId regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330} f240609859.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mffkxgft f240609859.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\InProcServer32\ = "C:\\Windows\\SysWow64\\daaqu.dll" f240609859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\InProcServer32\ThreadingModel = "Apartment" f240609859.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\ProgId ivvlkr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43916785-1d6b-4023-b5f1-7f423e80d330}\InProcServer32 f240609859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mffkxgft\ = "{43916785-1d6b-4023-b5f1-7f423e80d330}" f240609859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39a8bf4b-af19-4c4f-92c4-9e07419f372c}\ProgId\ = "oeejrreu.class" ivvlkr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5080 wrote to memory of 3532 5080 regsvr32.exe 83 PID 5080 wrote to memory of 3532 5080 regsvr32.exe 83 PID 5080 wrote to memory of 3532 5080 regsvr32.exe 83 PID 3532 wrote to memory of 912 3532 regsvr32.exe 84 PID 3532 wrote to memory of 912 3532 regsvr32.exe 84 PID 3532 wrote to memory of 912 3532 regsvr32.exe 84 PID 912 wrote to memory of 3096 912 razor_media_2_1.exe 85 PID 912 wrote to memory of 3096 912 razor_media_2_1.exe 85 PID 912 wrote to memory of 3096 912 razor_media_2_1.exe 85 PID 912 wrote to memory of 776 912 razor_media_2_1.exe 86 PID 912 wrote to memory of 776 912 razor_media_2_1.exe 86 PID 912 wrote to memory of 776 912 razor_media_2_1.exe 86 PID 3096 wrote to memory of 5004 3096 f240609859.exe 87 PID 3096 wrote to memory of 5004 3096 f240609859.exe 87 PID 3096 wrote to memory of 5004 3096 f240609859.exe 87
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\066ebb71605984d91572879f47b59ce2_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe"C:\Users\Admin\AppData\Local\Temp\razor_media_2_1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\f240609859.exe"C:\Users\Admin\AppData\Local\Temp\f240609859.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\ivvlkr.exe"C:\Windows\system32\ivvlkr.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies registry class
PID:5004
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\winup2date.dll4⤵
- Loads dropped DLL
- Modifies registry class
PID:776
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD52bbc7cfcf052d0bd00821986864725ce
SHA16f55c6b0edc41eec83adf92fe92f787c29527744
SHA25629ad1a9f9f2a37498622530517f50ebce1b65be578f7e4e1b36fa4ccce2c98ef
SHA5129256fa02173880f240408f69b12416a837b1674c9092219dfa3689ea057b0fe97ad75f3c0e433b6b261ec1aef259b4a189318de480755d6f3ebb9d2056efb7c0
-
Filesize
72KB
MD5e8f00b7b09842ede8600080ba8b29ccf
SHA10a97cd19370d65596bf5c628b6d247bc9362a224
SHA25671db06578766b005bc5b297baa6a34382dfcc5009086c1bfdfb9911574151dbf
SHA51224eece275d92289e2be5597f9ade5bbe68e5c3d926fb97236fd8c7710dbedb4214926b9143eb77e464349d04e91c1fcf62ddd066565a3ddb3fe3f9538411c929
-
Filesize
7KB
MD50c7876e9c3d3a841ebbdc06dfc8e1ba1
SHA145cf786a3a241f35d8412449dade36c2910e20d6
SHA256c9f68b243ddcad4542f26b97c7a17095ebefc397a7ee7bc20483063f82340496
SHA51211a8a56c44b6843d68cbab8b95e2b6acfbb4e47d5c2f3db4a21d7bafce9f4f2edcb41c0355f675f333622b4401beb528de42ce7445991f86f53b127f8bab6b89
-
Filesize
3KB
MD58bafaf18a0578642f864ed8cbf982346
SHA14fcb8312c5b06ef3b04f21d10f77d90a70afd006
SHA256eab5c0bbd9c46da00f0824e554628f34552e01ceeac2febc4f4343d1c40809fe
SHA512ea43e9ef5b1459b09b36662c5681285bf7366fdce23bd50df9567f94af768157a3be3b378e0a35de249d342b11cd0184a73458a783bb935a6672199b1d18e9a4
-
Filesize
14KB
MD52a9bc69d9030a614f4cce970d21ea89f
SHA192e44c26a75098cb7bd3cab1b0e2a34af6d0e4eb
SHA2561f6aa1544d355f391a088747e1cf7acd5575e0c312a4e79a3602d591bcf552e0
SHA5128c1dbffad8f1750f5dcd76a9035a8f6b6cc38269698b0bbb1290aa305dbb52106b726b0ac92efef82ffab40af074f85f5729dcea32afb014ac913ae5582fcfad
-
Filesize
5KB
MD50d133977906f46726940c0a1ed338f3b
SHA1b0c2dddb856d66c78b1f30e3c997d335420add2a
SHA25647839caf62ef254f18a584cd915c1e83b4fa29a9f43400f3766d9d49e9445dab
SHA5127d8fc2385ca330a47dc5b04f440f214b2d315db490aa9ca8e7dc4aa5182bd1ada5a8a9f052d44ee439806589262798ecf01616d572bfcca322a5b18d2e31ec73