Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 10:43
Static task
static1
Behavioral task
behavioral1
Sample
602911382683dfd6d644cbf52afb8357_JaffaCakes118.dll
Resource
win7-20240704-en
General
-
Target
602911382683dfd6d644cbf52afb8357_JaffaCakes118.dll
-
Size
120KB
-
MD5
602911382683dfd6d644cbf52afb8357
-
SHA1
d515aa2cedde06482c0416e8bdc0d7d4da0c6c92
-
SHA256
580a75b7a2ce3e9cae6cbb3bdaebd4bb605d9d622da0380cc7f980b4d4974867
-
SHA512
391b4528cf81d56218d4d42c99eeecf24312f552153f25b50061e141bf13ad1fd34c95aeeb3e837452599bc266725a254c7d871a45db9ae63d3bb453392176bc
-
SSDEEP
3072:PNPOLRlJrouG0jkH8cfulafTsMGp6zuUBrdCig:PwlmXmlaLsMGnUBo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\qttqjcad\\yaldtfjt.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yaldtfjt.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yaldtfjt.exe svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2832 jFVnPayM4 1844 qfgbvhlahuuuxqok.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend svchost.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc svchost.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power svchost.exe -
Loads dropped DLL 6 IoCs
pid Process 2260 rundll32.exe 2260 rundll32.exe 2832 jFVnPayM4 2832 jFVnPayM4 2832 jFVnPayM4 2832 jFVnPayM4 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\YalDtfjt = "C:\\Users\\Admin\\AppData\\Local\\qttqjcad\\yaldtfjt.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2832 jFVnPayM4 Token: SeDebugPrivilege 2832 jFVnPayM4 Token: SeSecurityPrivilege 2416 svchost.exe Token: SeSecurityPrivilege 2192 svchost.exe Token: SeDebugPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeSecurityPrivilege 1844 qfgbvhlahuuuxqok.exe Token: SeLoadDriverPrivilege 1844 qfgbvhlahuuuxqok.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe Token: SeBackupPrivilege 2192 svchost.exe Token: SeRestorePrivilege 2192 svchost.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2260 2240 rundll32.exe 28 PID 2240 wrote to memory of 2260 2240 rundll32.exe 28 PID 2240 wrote to memory of 2260 2240 rundll32.exe 28 PID 2240 wrote to memory of 2260 2240 rundll32.exe 28 PID 2240 wrote to memory of 2260 2240 rundll32.exe 28 PID 2240 wrote to memory of 2260 2240 rundll32.exe 28 PID 2240 wrote to memory of 2260 2240 rundll32.exe 28 PID 2260 wrote to memory of 2832 2260 rundll32.exe 29 PID 2260 wrote to memory of 2832 2260 rundll32.exe 29 PID 2260 wrote to memory of 2832 2260 rundll32.exe 29 PID 2260 wrote to memory of 2832 2260 rundll32.exe 29 PID 2832 wrote to memory of 2416 2832 jFVnPayM4 30 PID 2832 wrote to memory of 2416 2832 jFVnPayM4 30 PID 2832 wrote to memory of 2416 2832 jFVnPayM4 30 PID 2832 wrote to memory of 2416 2832 jFVnPayM4 30 PID 2832 wrote to memory of 2416 2832 jFVnPayM4 30 PID 2832 wrote to memory of 2416 2832 jFVnPayM4 30 PID 2832 wrote to memory of 2416 2832 jFVnPayM4 30 PID 2832 wrote to memory of 2416 2832 jFVnPayM4 30 PID 2832 wrote to memory of 2416 2832 jFVnPayM4 30 PID 2832 wrote to memory of 2416 2832 jFVnPayM4 30 PID 2832 wrote to memory of 2192 2832 jFVnPayM4 31 PID 2832 wrote to memory of 2192 2832 jFVnPayM4 31 PID 2832 wrote to memory of 2192 2832 jFVnPayM4 31 PID 2832 wrote to memory of 2192 2832 jFVnPayM4 31 PID 2832 wrote to memory of 2192 2832 jFVnPayM4 31 PID 2832 wrote to memory of 2192 2832 jFVnPayM4 31 PID 2832 wrote to memory of 2192 2832 jFVnPayM4 31 PID 2832 wrote to memory of 2192 2832 jFVnPayM4 31 PID 2832 wrote to memory of 2192 2832 jFVnPayM4 31 PID 2832 wrote to memory of 2192 2832 jFVnPayM4 31 PID 2832 wrote to memory of 1844 2832 jFVnPayM4 32 PID 2832 wrote to memory of 1844 2832 jFVnPayM4 32 PID 2832 wrote to memory of 1844 2832 jFVnPayM4 32 PID 2832 wrote to memory of 1844 2832 jFVnPayM4 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\602911382683dfd6d644cbf52afb8357_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\602911382683dfd6d644cbf52afb8357_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\jFVnPayM4"jFVnPayM4"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\qfgbvhlahuuuxqok.exe"C:\Users\Admin\AppData\Local\Temp\qfgbvhlahuuuxqok.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5728a53df2a3d2f5307fe1cc77179d2a5
SHA1a3c9de63748878de218c872e97eef0de767df853
SHA256d9ee5d0e2dd387be3a501cc88cb2b2b310016cdedd7a83be402c203e4dc76e9e
SHA5127496a435296ca0b08b554fb779ab3eb6709064a480a93e6f948f14a072cfbc1fe7e7ac8a31ea572b7a9910ad6b3d6e2019993bfd609d199cefd61c609c7fe893