Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
29-07-2024 01:51
Static task
static1
Behavioral task
behavioral1
Sample
31b7ddc62f5f53c4e73e7e6fc2ac8a8e_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
31b7ddc62f5f53c4e73e7e6fc2ac8a8e_JaffaCakes118.dll
Resource
win10v2004-20240730-en
General
-
Target
31b7ddc62f5f53c4e73e7e6fc2ac8a8e_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
31b7ddc62f5f53c4e73e7e6fc2ac8a8e
-
SHA1
90bc55e8741ad80cc692f8916879afe1136d300c
-
SHA256
d62f7d5f5612a00f40af40dd9e4d077879f57a394e6c54cfdd8ac3c643212844
-
SHA512
2c1de038b2c6a2b090f0f17a1fc0118bbed7837496a7c7df345295039d16e1731c5274cde666880b5323eed51547b10a93a22efd7d2deffd14f0bcc1e8f611dc
-
SSDEEP
24576:luYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:f9cKrUqZWLAcU
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1204-5-0x00000000024F0000-0x00000000024F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2620 BitLockerWizard.exe 936 WFS.exe 1504 ComputerDefaults.exe -
Loads dropped DLL 7 IoCs
pid Process 1204 Process not Found 2620 BitLockerWizard.exe 1204 Process not Found 936 WFS.exe 1204 Process not Found 1504 ComputerDefaults.exe 1204 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wsagbppvydnjcs = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\qmTC\\WFS.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ComputerDefaults.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2572 1204 Process not Found 30 PID 1204 wrote to memory of 2572 1204 Process not Found 30 PID 1204 wrote to memory of 2572 1204 Process not Found 30 PID 1204 wrote to memory of 2620 1204 Process not Found 31 PID 1204 wrote to memory of 2620 1204 Process not Found 31 PID 1204 wrote to memory of 2620 1204 Process not Found 31 PID 1204 wrote to memory of 1696 1204 Process not Found 32 PID 1204 wrote to memory of 1696 1204 Process not Found 32 PID 1204 wrote to memory of 1696 1204 Process not Found 32 PID 1204 wrote to memory of 936 1204 Process not Found 33 PID 1204 wrote to memory of 936 1204 Process not Found 33 PID 1204 wrote to memory of 936 1204 Process not Found 33 PID 1204 wrote to memory of 1316 1204 Process not Found 34 PID 1204 wrote to memory of 1316 1204 Process not Found 34 PID 1204 wrote to memory of 1316 1204 Process not Found 34 PID 1204 wrote to memory of 1504 1204 Process not Found 35 PID 1204 wrote to memory of 1504 1204 Process not Found 35 PID 1204 wrote to memory of 1504 1204 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\31b7ddc62f5f53c4e73e7e6fc2ac8a8e_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3000
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:2572
-
C:\Users\Admin\AppData\Local\b6us4oBw5\BitLockerWizard.exeC:\Users\Admin\AppData\Local\b6us4oBw5\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:1696
-
C:\Users\Admin\AppData\Local\5N7DNcbSr\WFS.exeC:\Users\Admin\AppData\Local\5N7DNcbSr\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:936
-
C:\Windows\system32\ComputerDefaults.exeC:\Windows\system32\ComputerDefaults.exe1⤵PID:1316
-
C:\Users\Admin\AppData\Local\OFxp\ComputerDefaults.exeC:\Users\Admin\AppData\Local\OFxp\ComputerDefaults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
951KB
MD5a943d670747778c7597987a4b5b9a679
SHA1c48b760ff9762205386563b93e8884352645ef40
SHA2561a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610
SHA5123d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934
-
Filesize
1.2MB
MD5ebd1fb2e90491aa084ffc02ef491cb25
SHA1115d7373e39f8e372b1385e545f0d6ea18e19df6
SHA256fdd3c1c5ae4bdc639b8844aac543e0e97b01488b5f6ad95d58b7e7ed3443fba9
SHA51284d482f8b3e16a36a177f6d9bb94dec9e706e40553a54c4dd3e350faaba9847c008489186be0682bfa0f34ddf59f8b3f9c5db8699fa76675fadd4bcf1d685f76
-
Filesize
1.2MB
MD5203df4e130faac4b7e4c5e473b422872
SHA1133eb16de65b4648dca24eeba8af97b5170e1b98
SHA256918c1ac0dafc87b12fb4a8e9843737e8516988c09acc87b684d0ccae1493f31c
SHA512d01b4bf4253df248d962eab72b3c74737e5aa1431c073021013fe5ada008561c3966d9d29d8e556836e4dd556e797610c57daaa2a0737ea7a00fe03b6b12febe
-
Filesize
1.2MB
MD5941cc22026cfe7deed4d24d8c38e7737
SHA11c529ce94d44656fc583382b099d8b821e760b2b
SHA256c8d2498ec1b9b06335cf9301b686a16d9bc37038d7b6069b2ec2f2d063e2e4e0
SHA5123908ea6da3e010e36325ab633859720278e447a0a5e58200a9ab741573f73d409a5d6e628e00981532028e30a73d5e8cdbbd7e2d2f6ecce7e617b95d8b525bef
-
Filesize
1KB
MD5849d037e66fe11ec59cae9f71d4cc7b3
SHA1d5af813a797f626a826ee91e66ba312f7120dc05
SHA256e8ff3d5529a361cce9e82419a0b7e428f893733f30b7847f4a3cf01ffbd0763d
SHA512a9232f2b01f87ae9aaf79cb53511ff1cbde83f1e7b1958e2e7bef6c5d28384c920b56d074021b1dd2c8b674663fc1646f7f405962d67cbf6ff539429d8b012f4
-
Filesize
36KB
MD586bd981f55341273753ac42ea200a81e
SHA114fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA25640b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA51249bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143
-
Filesize
98KB
MD508a761595ad21d152db2417d6fdb239a
SHA1d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA5128b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9