Analysis Overview
SHA256
4dc06fdd711f03eb0a3eaf7fd08f9153629674e7ddb4a48410087bb54c775c65
Threat Level: Shows suspicious behavior
The file 0253556cd907c56e06aad3d79f115d5c_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Loads dropped DLL
Installs/modifies Browser Helper Object
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 13:17
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 13:17
Reported
2024-06-22 13:19
Platform
win7-20231129-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aqudwrc.dll = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\aqudwrc.dll,opuyyg" | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{770DB178-5B8E-45D6-A08A-01D3B849059C} | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\yqyzlvl.dll | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\aqudwrc.dll | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C} | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C}\InprocServer32\ = "C:\\Windows\\SysWow64\\yqyzlvl.dll" | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\aqudwrc.dll,opuyyg
Network
| Country | Destination | Domain | Proto |
| NL | 88.208.8.8:80 | tcp | |
| NL | 88.208.8.8:80 | tcp |
Files
\Windows\SysWOW64\yqyzlvl.dll
| MD5 | cd276b7f841eedfd1a488807d47d5d74 |
| SHA1 | 359cbd9d8ea50ab1378a6d9df624218877146776 |
| SHA256 | f5ed6dde98ede418d40a3906461b9b4f052f0e9cec37cd2ef2717af79247dfb7 |
| SHA512 | 8f36466ce83d02c0f028df5cce54298eee2ce9e51167297966bf861a464f7eb9c1e148363b6f5bdda2de6a736c4654ab53a8e1a5b4bd80b6cf6cc94b3212c257 |
memory/2180-0-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2180-5-0x0000000010000000-0x0000000010018000-memory.dmp
C:\Windows\SysWOW64\aqudwrc.dll
| MD5 | 2d472c8665f37b45b78772684418fe21 |
| SHA1 | 70119803f17592c2fb3188ceb5c32e9d19ce0737 |
| SHA256 | a10734205236fa06b26951e511074fa7d16de8cb7759d3fb853930301a33856e |
| SHA512 | 7c30a74b717da8fddf129dd30005ee4535b6dcebb16db9fa94d05b362e8c07717ce3324cdb13fde08802f42bad09d2eadfb4e7b754583693fb86b61c91b9c94b |
memory/2368-13-0x0000000010000000-0x000000001001E000-memory.dmp
memory/2368-12-0x0000000010000000-0x000000001001E000-memory.dmp
memory/2368-11-0x0000000010000000-0x000000001001E000-memory.dmp
memory/2180-16-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2180-19-0x0000000010000000-0x0000000010018000-memory.dmp
memory/2368-20-0x0000000010000000-0x000000001001E000-memory.dmp
memory/2180-26-0x0000000010000000-0x0000000010018000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 13:17
Reported
2024-06-22 13:19
Platform
win10v2004-20240508-en
Max time kernel
79s
Max time network
99s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aqudwrc.dll = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\aqudwrc.dll,opuyyg" | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{770DB178-5B8E-45D6-A08A-01D3B849059C} | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\aqudwrc.dll | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\yqyzlvl.dll | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C} | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C}\InprocServer32\ = "C:\\Windows\\SysWow64\\yqyzlvl.dll" | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{770DB178-5B8E-45D6-A08A-01D3B849059C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 976 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 976 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 976 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0253556cd907c56e06aad3d79f115d5c_JaffaCakes118.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\aqudwrc.dll,opuyyg
Network
| Country | Destination | Domain | Proto |
| NL | 88.208.8.8:80 | tcp | |
| US | 52.111.229.43:443 | tcp |
Files
memory/976-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\yqyzlvl.dll
| MD5 | cd276b7f841eedfd1a488807d47d5d74 |
| SHA1 | 359cbd9d8ea50ab1378a6d9df624218877146776 |
| SHA256 | f5ed6dde98ede418d40a3906461b9b4f052f0e9cec37cd2ef2717af79247dfb7 |
| SHA512 | 8f36466ce83d02c0f028df5cce54298eee2ce9e51167297966bf861a464f7eb9c1e148363b6f5bdda2de6a736c4654ab53a8e1a5b4bd80b6cf6cc94b3212c257 |
memory/976-6-0x0000000010000000-0x0000000010018000-memory.dmp
C:\Windows\SysWOW64\aqudwrc.dll
| MD5 | 2d472c8665f37b45b78772684418fe21 |
| SHA1 | 70119803f17592c2fb3188ceb5c32e9d19ce0737 |
| SHA256 | a10734205236fa06b26951e511074fa7d16de8cb7759d3fb853930301a33856e |
| SHA512 | 7c30a74b717da8fddf129dd30005ee4535b6dcebb16db9fa94d05b362e8c07717ce3324cdb13fde08802f42bad09d2eadfb4e7b754583693fb86b61c91b9c94b |
memory/1588-9-0x0000000010000000-0x000000001001E000-memory.dmp
memory/1588-11-0x0000000010000000-0x000000001001E000-memory.dmp
memory/976-13-0x0000000000400000-0x0000000000435000-memory.dmp
memory/976-15-0x0000000010000000-0x0000000010018000-memory.dmp