Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 00:15
Static task
static1
Behavioral task
behavioral1
Sample
2d49503d2bb2c8767fb1694130330e24_JaffaCakes118.dll
Resource
win7-20240704-en
General
-
Target
2d49503d2bb2c8767fb1694130330e24_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
2d49503d2bb2c8767fb1694130330e24
-
SHA1
b083e2e518dce9faf0c317b4080edac716f8a7d6
-
SHA256
0f7f2948cdd5729afb075981ca2d0fac509ac37886e1d0faec72fc52d12f7571
-
SHA512
f120f2949aa084e8c363880e3030bab186c2fc8504bb1813bc5e49fafa043d213cccb0b57454a7dd4d513c73eb3af5dd251f028c6327cb3e8a87bdff1953a309
-
SSDEEP
24576:9uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:X9cKrUqZWLAcU
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3396-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 232 rdpclip.exe 1192 SystemSettingsAdminFlows.exe 4780 phoneactivate.exe -
Loads dropped DLL 3 IoCs
pid Process 232 rdpclip.exe 1192 SystemSettingsAdminFlows.exe 4780 phoneactivate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xmulajyakcaxneu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\M6U1QZB\\SystemSettingsAdminFlows.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpclip.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsAdminFlows.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA phoneactivate.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3920 regsvr32.exe 3920 regsvr32.exe 3920 regsvr32.exe 3920 regsvr32.exe 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found 3396 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3396 wrote to memory of 2668 3396 Process not Found 84 PID 3396 wrote to memory of 2668 3396 Process not Found 84 PID 3396 wrote to memory of 232 3396 Process not Found 85 PID 3396 wrote to memory of 232 3396 Process not Found 85 PID 3396 wrote to memory of 2092 3396 Process not Found 86 PID 3396 wrote to memory of 2092 3396 Process not Found 86 PID 3396 wrote to memory of 1192 3396 Process not Found 87 PID 3396 wrote to memory of 1192 3396 Process not Found 87 PID 3396 wrote to memory of 540 3396 Process not Found 88 PID 3396 wrote to memory of 540 3396 Process not Found 88 PID 3396 wrote to memory of 4780 3396 Process not Found 89 PID 3396 wrote to memory of 4780 3396 Process not Found 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\2d49503d2bb2c8767fb1694130330e24_JaffaCakes118.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920
-
C:\Windows\system32\rdpclip.exeC:\Windows\system32\rdpclip.exe1⤵PID:2668
-
C:\Users\Admin\AppData\Local\SsU4jxofg\rdpclip.exeC:\Users\Admin\AppData\Local\SsU4jxofg\rdpclip.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:232
-
C:\Windows\system32\SystemSettingsAdminFlows.exeC:\Windows\system32\SystemSettingsAdminFlows.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\EpGF6kO\SystemSettingsAdminFlows.exeC:\Users\Admin\AppData\Local\EpGF6kO\SystemSettingsAdminFlows.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1192
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵PID:540
-
C:\Users\Admin\AppData\Local\SnW1Lh\phoneactivate.exeC:\Users\Admin\AppData\Local\SnW1Lh\phoneactivate.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4780
Network
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD550adb2c7c145c729b9de8b7cf967dd24
SHA1a31757f08da6f95156777c1132b6d5f1db3d8f30
SHA256a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec
SHA512715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0
-
Filesize
1.2MB
MD5ba883d01bcf9bf41cd295ecf297d9eb6
SHA1718cde1b6be8ab4853e1854061caa193bfe8c8d2
SHA25692ce1dd62e28c6793f28802df956876dbf48d8efd976ba601ad9dbf983d95e03
SHA5127e2331c36d87f53492d0db4055b23f05eee290775724c73deaedcf8fef2d4f50d3ffdd3047f633007d41c3e3fff684f3ad44725edeba864f11186fe1fbcd855f
-
Filesize
1.4MB
MD578c6ee9758fca24d644aadf14ce2b066
SHA1f8887a709f365f5189a9edd28c341852ba3de639
SHA256dde7deb3373610ad3d3aab7323236f209a1f04db3c3b456bce5727ad9df063ef
SHA512c14b8df5e69c2b8fe16c70c74836accecb101ebb8ec72f48629949a2d52527f109eb0ed798046494adf213b4d8463f359ba2a8beccb8761e2dc41862ec570789
-
Filesize
107KB
MD532c31f06e0b68f349f68afdd08e45f3d
SHA1e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26
-
Filesize
1.2MB
MD57ce330bb546ae4bea62aa91f3ac5f000
SHA1ab8cb492afba2a55e36e4c3da68b20201fa57b55
SHA256b327b1918b25373d9608e353f62368547dd106d0385b3c7858f966175c9d3814
SHA5120312986cc0c7431aff91d304b5a5ee6e6ccf9054c633f24d1568bd19792292d51fe683a08094b2a9be7aacfde926009834c87c961a2ce9623930251fb7dc2ed5
-
Filesize
446KB
MD5a52402d6bd4e20a519a2eeec53332752
SHA1129f2b6409395ef877b9ca39dd819a2703946a73
SHA2569d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308
SHA512632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e
-
Filesize
1KB
MD52698d5c66a31f833a779e02f2e998043
SHA159802c4dc56a77d73f07c7207981443a149b3d55
SHA256851c77c6ae1f5f4bf05e71968bdd4e7957cdef29f9d4718149573b4a6ed1df32
SHA51294602e89489163375a44b51b6ba91ec340497f1be8a89904a969f5794e5db5f7cd3712804a61b3013fd137b9fb24dc6ef5cb8a5d11b7e4c2ebf438d6f32b4a3a