Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
0f5dd209d4b48ac36c9d100d4e9c4bb1_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
0f5dd209d4b48ac36c9d100d4e9c4bb1_JaffaCakes118.dll
-
Size
189KB
-
MD5
0f5dd209d4b48ac36c9d100d4e9c4bb1
-
SHA1
95cffc889960b5d4db51e27833cb650c8c7ac933
-
SHA256
73f0f24f6324ec5076968e1a02c8c71a8b7653272cb608df94675176333728fc
-
SHA512
39738069333286369c2eedfc3713948c58d5c815f178ff50048154bf70766cd13a4ecfd47b4dd3963cd1e8bcccab04b8f39fd64cb82975904f0b5d61951e3ce8
-
SSDEEP
3072:Rt5Gf4bwPdy5XMxJZID/RlovuTyB9yyo7GcXABr:RCIpJJTEV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\yiqrlvcn\\hofevvlb.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hofevvlb.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hofevvlb.exe svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2640 fxvVpP6P 2892 ytdcbxnkwcghdkjt.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend svchost.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc svchost.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power svchost.exe -
Loads dropped DLL 6 IoCs
pid Process 804 rundll32.exe 804 rundll32.exe 2640 fxvVpP6P 2640 fxvVpP6P 2640 fxvVpP6P 2640 fxvVpP6P -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HofEvvlb = "C:\\Users\\Admin\\AppData\\Local\\yiqrlvcn\\hofevvlb.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2588 804 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2640 fxvVpP6P Token: SeDebugPrivilege 2640 fxvVpP6P Token: SeSecurityPrivilege 2660 svchost.exe Token: SeSecurityPrivilege 2904 svchost.exe Token: SeDebugPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeSecurityPrivilege 2892 ytdcbxnkwcghdkjt.exe Token: SeLoadDriverPrivilege 2892 ytdcbxnkwcghdkjt.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe Token: SeBackupPrivilege 2904 svchost.exe Token: SeRestorePrivilege 2904 svchost.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2388 wrote to memory of 804 2388 rundll32.exe 28 PID 2388 wrote to memory of 804 2388 rundll32.exe 28 PID 2388 wrote to memory of 804 2388 rundll32.exe 28 PID 2388 wrote to memory of 804 2388 rundll32.exe 28 PID 2388 wrote to memory of 804 2388 rundll32.exe 28 PID 2388 wrote to memory of 804 2388 rundll32.exe 28 PID 2388 wrote to memory of 804 2388 rundll32.exe 28 PID 804 wrote to memory of 2640 804 rundll32.exe 29 PID 804 wrote to memory of 2640 804 rundll32.exe 29 PID 804 wrote to memory of 2640 804 rundll32.exe 29 PID 804 wrote to memory of 2640 804 rundll32.exe 29 PID 2640 wrote to memory of 2660 2640 fxvVpP6P 31 PID 2640 wrote to memory of 2660 2640 fxvVpP6P 31 PID 2640 wrote to memory of 2660 2640 fxvVpP6P 31 PID 2640 wrote to memory of 2660 2640 fxvVpP6P 31 PID 2640 wrote to memory of 2660 2640 fxvVpP6P 31 PID 2640 wrote to memory of 2660 2640 fxvVpP6P 31 PID 2640 wrote to memory of 2660 2640 fxvVpP6P 31 PID 2640 wrote to memory of 2660 2640 fxvVpP6P 31 PID 2640 wrote to memory of 2660 2640 fxvVpP6P 31 PID 2640 wrote to memory of 2660 2640 fxvVpP6P 31 PID 804 wrote to memory of 2588 804 rundll32.exe 30 PID 804 wrote to memory of 2588 804 rundll32.exe 30 PID 804 wrote to memory of 2588 804 rundll32.exe 30 PID 804 wrote to memory of 2588 804 rundll32.exe 30 PID 2640 wrote to memory of 2904 2640 fxvVpP6P 32 PID 2640 wrote to memory of 2904 2640 fxvVpP6P 32 PID 2640 wrote to memory of 2904 2640 fxvVpP6P 32 PID 2640 wrote to memory of 2904 2640 fxvVpP6P 32 PID 2640 wrote to memory of 2904 2640 fxvVpP6P 32 PID 2640 wrote to memory of 2904 2640 fxvVpP6P 32 PID 2640 wrote to memory of 2904 2640 fxvVpP6P 32 PID 2640 wrote to memory of 2904 2640 fxvVpP6P 32 PID 2640 wrote to memory of 2904 2640 fxvVpP6P 32 PID 2640 wrote to memory of 2904 2640 fxvVpP6P 32 PID 2640 wrote to memory of 2892 2640 fxvVpP6P 33 PID 2640 wrote to memory of 2892 2640 fxvVpP6P 33 PID 2640 wrote to memory of 2892 2640 fxvVpP6P 33 PID 2640 wrote to memory of 2892 2640 fxvVpP6P 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f5dd209d4b48ac36c9d100d4e9c4bb1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f5dd209d4b48ac36c9d100d4e9c4bb1_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\fxvVpP6P"fxvVpP6P"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\ytdcbxnkwcghdkjt.exe"C:\Users\Admin\AppData\Local\Temp\ytdcbxnkwcghdkjt.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 2323⤵
- Program crash
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD574f37fe4cd2c65109465b9998183a657
SHA19419ff643ebd890e108c2732a40f9b3628b35a71
SHA2564e84e2831364f0a0b9c7d552e58b9706d0de6fae139942207af33f515dcae40b
SHA51295651b579b497f8a3f4b0eb42f90bd8a722a50b38e3b6c22133ae2390e68bad21d74f7fdc4a45fc43c8aa798c5775e87bf6cb20a6e1ed9c7e80ecb9b302b4a81