Analysis
-
max time kernel
129s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 18:34
Static task
static1
Behavioral task
behavioral1
Sample
2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll
-
Size
378KB
-
MD5
2359e5ff4ddb2431661a2575069b9228
-
SHA1
4ce3b3f36059e3d8fe2b2eff98096e325456ce7d
-
SHA256
9321f7c0333333189cea832082c33d28e3d8c568762b085939aea86b1d407dca
-
SHA512
7dd7c5384e45351472b52df65d1a46f92da49ee074e6b5447a567c3b5033b3c49f225a9c64610575cadfdd5372fc5b15e0ba2a435d1bd3684fe1108d9cb9b439
-
SSDEEP
3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MH:vs6Xpq0H3Jhds/9+qC/zfTPLl
Malware Config
Extracted
qakbot
402.343
obama104
1632729661
95.77.223.148:443
47.22.148.6:443
89.101.97.139:443
27.223.92.142:995
120.151.47.189:443
136.232.34.70:443
120.150.218.241:995
185.250.148.74:443
181.118.183.94:443
140.82.49.12:443
67.165.206.193:993
103.148.120.144:443
71.74.12.34:443
76.25.142.196:443
73.151.236.31:443
173.21.10.71:2222
75.188.35.168:443
2.178.88.145:61202
71.80.168.245:443
45.46.53.140:2222
109.12.111.14:443
105.198.236.99:443
73.77.87.137:443
41.248.239.221:995
182.176.112.182:443
96.37.113.36:993
75.66.88.33:443
162.244.227.34:443
24.229.150.54:995
216.201.162.158:443
92.59.35.196:2222
196.218.227.241:995
24.139.72.117:443
68.207.102.78:443
72.252.201.69:443
2.188.27.77:443
177.130.82.197:2222
68.204.7.158:443
189.210.115.207:443
181.163.96.53:443
24.55.112.61:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
24.152.219.253:995
50.29.166.232:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Uewkvcu = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Scsster = "0" reg.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2496 regsvr32.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\b59c018d = e1f7ff996b214d66d1c01ace674beaa7055cd891ad5aaf8b13fc4595da89e61725e2d6002d00b61fc310d7b23b66fb33c3fd501d99ccc2aeafc21d7c4e27d798b95f3576 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\fd0b9e49 = 58d1038715d055c5aa92d693483bd9a4076c6932d3b7acb57fed0f7eebecd435efbcaece19c0aeb7830d92df0ad9070eaf1d94e747690f5f808a8c22cd6774b3fb99a4e95909123f16aab1 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Livnuou explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\8242f1bf = eb2c33aed456e9a9b0315e258dd58e70cc36bd34886cf2331e4338cce5c98438adda6d8c3de6563e9b8f2a9932ed77e87692df851169a27b4a23bd7bc79faa4966d5cac868d9c7510831a2d6b0f5 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\b7dd21f1 = 9a7b782dfd8ff87803521c0ccab0056bc69ea7c440916e840a5a2929135c2d7ef25cc2c7404cb465c6e42835de1106d36a0431265d82814968b2cf1e6dacc2f72eb942422e7e20334dd4d44ac427df86b12ef0f029cc1f05ea71c1005edaffe8b04921d6b8fad57a27ca3525a56bac2e92129549a9fafe78b84a4cf2b4cac44d7b7aee4413bad74f8ee148a888554b62c59b56ca explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\f614694 = 6322874d936251d861fa24524e89ca4eba048a74b477b868a71b260034ac93ed8f9292f400490530a1df0d0244b392b7a60964c398d835edaabc6dd0b8063936e8dbd9886788ec explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\8242f1bf = eb2c24aed456dcc7362fbae673583024d1ea373227424149464b7583b6e62486265fcb997f8736967d09e33670fdc8a779dfc80e506c6590179c36a3c10b3acdf5a9424184ac5bae9f747e46d8132dfbc10aa6a10da226a6ce6673165953dcf8b4e8fa explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\d2066e8 = c9ff13ecd86dc63cdbf8bc307e5bcd1f66b6b03223c30890d3eb1c7f6d6dc676a635266a906a80571ab6cff67ae1288d7a5ca8d0e9c0e60f5b19bc857166a0fb970660 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\70282962 = fbd6b73c386e75f0bc5f3bc788d3b11a2561bb3455d40cde1c76 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Livnuou\c8944e07 = 51ffcdb161562ed6ac1bc9a1b257d7426b03f4eab9db explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 2152 rundll32.exe 2496 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 2152 rundll32.exe 2496 regsvr32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exedescription pid process target process PID 2936 wrote to memory of 2152 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2152 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2152 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2152 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2152 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2152 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2152 2936 rundll32.exe rundll32.exe PID 2152 wrote to memory of 2956 2152 rundll32.exe explorer.exe PID 2152 wrote to memory of 2956 2152 rundll32.exe explorer.exe PID 2152 wrote to memory of 2956 2152 rundll32.exe explorer.exe PID 2152 wrote to memory of 2956 2152 rundll32.exe explorer.exe PID 2152 wrote to memory of 2956 2152 rundll32.exe explorer.exe PID 2152 wrote to memory of 2956 2152 rundll32.exe explorer.exe PID 2956 wrote to memory of 3068 2956 explorer.exe schtasks.exe PID 2956 wrote to memory of 3068 2956 explorer.exe schtasks.exe PID 2956 wrote to memory of 3068 2956 explorer.exe schtasks.exe PID 2956 wrote to memory of 3068 2956 explorer.exe schtasks.exe PID 1348 wrote to memory of 2332 1348 taskeng.exe regsvr32.exe PID 1348 wrote to memory of 2332 1348 taskeng.exe regsvr32.exe PID 1348 wrote to memory of 2332 1348 taskeng.exe regsvr32.exe PID 1348 wrote to memory of 2332 1348 taskeng.exe regsvr32.exe PID 1348 wrote to memory of 2332 1348 taskeng.exe regsvr32.exe PID 2332 wrote to memory of 2496 2332 regsvr32.exe regsvr32.exe PID 2332 wrote to memory of 2496 2332 regsvr32.exe regsvr32.exe PID 2332 wrote to memory of 2496 2332 regsvr32.exe regsvr32.exe PID 2332 wrote to memory of 2496 2332 regsvr32.exe regsvr32.exe PID 2332 wrote to memory of 2496 2332 regsvr32.exe regsvr32.exe PID 2332 wrote to memory of 2496 2332 regsvr32.exe regsvr32.exe PID 2332 wrote to memory of 2496 2332 regsvr32.exe regsvr32.exe PID 2496 wrote to memory of 3028 2496 regsvr32.exe explorer.exe PID 2496 wrote to memory of 3028 2496 regsvr32.exe explorer.exe PID 2496 wrote to memory of 3028 2496 regsvr32.exe explorer.exe PID 2496 wrote to memory of 3028 2496 regsvr32.exe explorer.exe PID 2496 wrote to memory of 3028 2496 regsvr32.exe explorer.exe PID 2496 wrote to memory of 3028 2496 regsvr32.exe explorer.exe PID 3028 wrote to memory of 2696 3028 explorer.exe reg.exe PID 3028 wrote to memory of 2696 3028 explorer.exe reg.exe PID 3028 wrote to memory of 2696 3028 explorer.exe reg.exe PID 3028 wrote to memory of 2696 3028 explorer.exe reg.exe PID 3028 wrote to memory of 2716 3028 explorer.exe reg.exe PID 3028 wrote to memory of 2716 3028 explorer.exe reg.exe PID 3028 wrote to memory of 2716 3028 explorer.exe reg.exe PID 3028 wrote to memory of 2716 3028 explorer.exe reg.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qqzvdtqd /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll\"" /SC ONCE /Z /ST 18:36 /ET 18:484⤵
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\taskeng.exetaskeng.exe {92ABE1E6-9509-4B2C-BFF1-473E24860F7B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\2359e5ff4ddb2431661a2575069b9228_JaffaCakes118.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Uewkvcu" /d "0"5⤵
- Windows security bypass
PID:2696 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Scsster" /d "0"5⤵
- Windows security bypass
PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD52359e5ff4ddb2431661a2575069b9228
SHA14ce3b3f36059e3d8fe2b2eff98096e325456ce7d
SHA2569321f7c0333333189cea832082c33d28e3d8c568762b085939aea86b1d407dca
SHA5127dd7c5384e45351472b52df65d1a46f92da49ee074e6b5447a567c3b5033b3c49f225a9c64610575cadfdd5372fc5b15e0ba2a435d1bd3684fe1108d9cb9b439