Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/07/2024, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
371af98fd5d1b6a8ecf30ab87a8ce6af_JaffaCakes118.dll
Resource
win7-20240708-en
General
-
Target
371af98fd5d1b6a8ecf30ab87a8ce6af_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
371af98fd5d1b6a8ecf30ab87a8ce6af
-
SHA1
ae32ecdcb944cc6f2bab0a65e06f3e93d3222edd
-
SHA256
ef76520c0aed81b7d9370ec55c8b159f4e7ffe0266e3d7789e9e886179e17816
-
SHA512
b63c15c5ebb0fecdf9b144d34b544b2d614fe7558ba7f6e626946fa75622745ec149e43270d30e204078244187ccafe889d6d9961d9cd85ca1dc6b8142d400eb
-
SSDEEP
24576:2uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NA:29cKrUqZWLAcU
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1216-5-0x00000000024D0000-0x00000000024D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2600 Netplwiz.exe 2272 rdrleakdiag.exe 1188 wusa.exe -
Loads dropped DLL 7 IoCs
pid Process 1216 Process not Found 2600 Netplwiz.exe 1216 Process not Found 2272 rdrleakdiag.exe 1216 Process not Found 1188 wusa.exe 1216 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lnxdhmhg = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\FS2\\rdrleakdiag.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdrleakdiag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2516 regsvr32.exe 2516 regsvr32.exe 2516 regsvr32.exe 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1216 wrote to memory of 2896 1216 Process not Found 31 PID 1216 wrote to memory of 2896 1216 Process not Found 31 PID 1216 wrote to memory of 2896 1216 Process not Found 31 PID 1216 wrote to memory of 2600 1216 Process not Found 32 PID 1216 wrote to memory of 2600 1216 Process not Found 32 PID 1216 wrote to memory of 2600 1216 Process not Found 32 PID 1216 wrote to memory of 2288 1216 Process not Found 33 PID 1216 wrote to memory of 2288 1216 Process not Found 33 PID 1216 wrote to memory of 2288 1216 Process not Found 33 PID 1216 wrote to memory of 2272 1216 Process not Found 34 PID 1216 wrote to memory of 2272 1216 Process not Found 34 PID 1216 wrote to memory of 2272 1216 Process not Found 34 PID 1216 wrote to memory of 552 1216 Process not Found 35 PID 1216 wrote to memory of 552 1216 Process not Found 35 PID 1216 wrote to memory of 552 1216 Process not Found 35 PID 1216 wrote to memory of 1188 1216 Process not Found 36 PID 1216 wrote to memory of 1188 1216 Process not Found 36 PID 1216 wrote to memory of 1188 1216 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\371af98fd5d1b6a8ecf30ab87a8ce6af_JaffaCakes118.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2516
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:2896
-
C:\Users\Admin\AppData\Local\o6vdzMa8\Netplwiz.exeC:\Users\Admin\AppData\Local\o6vdzMa8\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2600
-
C:\Windows\system32\rdrleakdiag.exeC:\Windows\system32\rdrleakdiag.exe1⤵PID:2288
-
C:\Users\Admin\AppData\Local\t1BOS\rdrleakdiag.exeC:\Users\Admin\AppData\Local\t1BOS\rdrleakdiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2272
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:552
-
C:\Users\Admin\AppData\Local\TIF97r4\wusa.exeC:\Users\Admin\AppData\Local\TIF97r4\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5956f5f4d2696e735f1eec14c41213348
SHA19a8cee1b98e2b9841ab6c63a50d40bf1efd5d58c
SHA2567d3af9de082c2e6c38f64d311ef1a5941e6442def911c587baeef2567035e1cf
SHA5124f76a3c1a7383c25877314ba7db076441bad160bc37e2b7aaf1d07baf7d33c9b6b7b8d7c0fea004b9d4d21478fd928322fcda315b5da22b4792fe8d8f7a2ce15
-
Filesize
300KB
MD5c15b3d813f4382ade98f1892350f21c7
SHA1a45c5abc6751bc8b9041e5e07923fa4fc1b4542b
SHA2568f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3
SHA5126d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c
-
Filesize
1.2MB
MD58f2dabe1d89df691abb4fa7d2614d419
SHA1d8d6b1bd8903c4756ac1b9c0fd46b267011a35a7
SHA256e5a47c8cd73c6b2cb4c7b12ce4aa7e3f56e7422964054fd6adfb6aee7e315607
SHA51256a196878c096034b0d933102df73744ce4d8af916f8c4b2c7b238a02215db2b448e974d3281321a4d9f2995757a4a5d881da5c4bd6bac135826986cdb58220c
-
Filesize
1.2MB
MD503e4e2400cbad1c50875155cbaf9ca6d
SHA14fc83f3ae1f21be033304d0fc8606e5fea102781
SHA256db30571915a289700052bbeae4b586634711c68b2529618dafcbf0c95de5fe37
SHA512621c76a178a7ced03e38fb1bf4e8842f0e0f6e7144967c72821f3e7c2f24c995402ac2ee33c407d4297f23ddc93f09f11491a882484aea0c97bdd137360b68c5
-
Filesize
1KB
MD526a0f56f014a44ec9127cc93301ca17e
SHA122ddc8503c91e283f3fd1fe565a2db6da3338dbd
SHA256d746f0b30bb47e01d0d4ef694777fbcd408895c8f3e5b01b9e70cf2902cc66ed
SHA512d6c4c554714da40f6c0b7ad6f8f72647d1dd07e076efca5c97aaed7472d3b2330d3934b78840fd64b1f323b7390c9987503c82c50dd2f034c834491fb8deaedd
-
Filesize
26KB
MD5e43ec3c800d4c0716613392e81fba1d9
SHA137de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08
-
Filesize
39KB
MD55e058566af53848541fa23fba4bb5b81
SHA1769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0